Shopping cart with PHP and SQL

Question

I have various number of files and database tables including artist, album and tracks.

On the webpage user can choose an artist, an album and then songs or albums to buy.

The desired functionality is: when the user selects to buy the album, all the tracks are added to the shopping cart.

Here is a PHP code chunk with a link for buying an album:

<p>?php

    session_start(); <br>
    $albumID=$_POST["albumID"]; <br>
    echo "<p>Going to buy album $albumID</p>";
    echo "<p><a href=\"shopForTracks.php\">Click here to continue</a></p>";

?></p>

I have got also other files with DB queries etc. in them.

There is one to get the artist by letter, another one to get album from artist. Then, a shopping, show basket, show purchases, add to basket and checkout files.

Any help with the problem is greatly appreciated.

Additional code from getTracksByAlbum.php

?php
include ("dbConnect.php");
$albumID=$_GET["id"];
$dbQuery="select id,title from tracks where albumID='$albumID' order by trackNumber     
asc";
$dbResult=mysql_query($dbQuery);
echo $albumID."\n";
echo mysql_num_rows($dbResult)."\n";
while ($dbRow=mysql_fetch_array($dbResult)) {
  echo $dbRow["id"]."_".$dbRow["title"]."\n";
}  
?>

Additional code from showBasket.php

<?php 
 if (isset($_SESSION["currentUserID"])) { 
 $dbQuery="select * from basket where paid='N' and userID=".$_SESSION["currentUserID"];
 $dbResult=mysql_query($dbQuery);
 $numTracks=mysql_num_rows($dbResult);
 }   
 ?>
    <a href="login.php">Logout <?php echo $_SESSION["currentUser"]; ?></a> | 
    <a href="shopForTracks.php">Shop for tracks</a> |
    <a href="showBasket.php">Show Basket</a> <?php echo "($numTracks)"; ?> |
    <a href="checkout.php">Checkout</a> | 
    <a href="showMyPurchases.php">Show my purchases</a>


 <hr>


<?php
 $dbQuery="select tracks.title, albums.title, artists.name, basket.id ".
     "from basket,tracks,albums,artists ".
     "where basket.userID=".$_SESSION["currentUserID"]." ".
     "and basket.paid='N' ".
     "and basket.trackID=tracks.id ".
     "and albums.id=tracks.albumID ".
     "and artists.id=tracks.artistID";
   $dbResult=mysql_query($dbQuery);
 $numTracks=mysql_num_rows($dbResult);

 if ($numTracks==0)
   echo "<h3>Your basket is empty</h3>";
  else {

 ?>

I'm not sure what other information is needed, I don't fully understand and there's a lot of it. I was originally using this -

$query = mysql_query("SELECT song_id FROM song WHERE album = '".$_POST['albumID']."'")

 $_SESSION['ID] = array();

   while($album = mysql_fetch_array($query)
   {
    $_SESSION['basket'][] = $albums['Track_id']
  }

to try and work it out - but I'm really lost :(

Answer 1

Based on your last piece of code, you need to do something similar to the following piece of code in shofForTracks.php

// We get the album to add via the `albumID` GET parameter
$query = mysql_query("SELECT song_id FROM song WHERE album = '".mysql_real_escape_string($_GET['albumID'])."'")

// We add a line to the cart per track of the album. We construct the query by pieces
$insert = "INSERT INTO basket (userID, paid, trackID) VALUES ";
$template = "(" . mysql_real_escape_string($_SESSION['currentUserID']) . ", 'N', %d)";

// Add a value line for each track in the array `$tracks`
$tracks = array()
while($track = mysql_fetch_array($query)
    $tracks[] = sprintf($template, $track['song_id']);

// Add the lines to the insert query 
// "INSERT INTO ... VALUES (ID, 'N', 1), (ID, 'N', 3)"
$insert .= implode(", ", $tracks);
mysql_query($insert);

Note that :

• You must properly escape the data sent from the user. Never Trust User Input (e.g. $_POST, $_GET, ...). Your existing code is vulnerable to SQL injection.
• You use the deprecated mysql_* functions. Switch to mysqli or PDO. See this and that and that.
• The piece of code above is NOT secure as-is. Using a simple HTTP GET request to add stuff to your cart can lead to security vulnerabilities, like XSS
• Sorry, but by the look of your code, you don't seem ready to code a real-life (meaning real-money) shopping site by yourself (yet anyway). You still got a lot to learn about security which is essential to web transactions. For your own sake, don't let people trust you with their money if you're not absolutely confident in the security of your code. But hey, I'm just saying. If you're coding this stuff as an exercise, well there's an occasion to familiarize yourself with those concepts :)