Retrieving data from MySQL and Passing it Between php pages

Security issues related to php and mysql usage. How to make your code secure? Security measures and configurations? It's all in here!

Moderators: macek, egami, gesf

arilwan
New php-forum User
New php-forum User
Posts: 6
Joined: Wed Jun 29, 2011 3:28 am

Retrieving data from MySQL and Passing it Between php pages

Postby arilwan » Wed Jun 29, 2011 3:58 am

Hi All,

I'm new to PHP and I'm writing a shopping cart for used textbooks. I write a page books.php that displays all available books in the system. I added a link so that when Buyer click on the book title (or book image or view details link), he is taken to another page details.php, that display book details including price, by passing the bookId this way:

Code: Select all

<a href=\"details.php?bookId=".$bookId."\">


On the details page I have a button called "Add to Cart" that calls a php function modcart.php which contain SQL INSERT statement that insert book details (title,price, etc) to my cart table.

My problem here is passing the values (book title, book price ) from the details.php page onto the modcart.php function (spent whole night trying it). I'm able to pass the bookId from the details.php to the modcart.php function using:

Code: Select all

<form method="POST" action="modcart.php?action=add">
<input type="hidden" name="bookId" value="<?php echo $rows['bookId'] ?>">
<input type="submit" name="Submit" value="Add to My Cart">


But I'm having trouble passing the other values. Can anybody out there help sort me out please? Below are the files: books.php, details.php and modcart.php (function).

Thank you, love you all.


================================
books.php (page)
=================================

Code: Select all

<?php
session_start();
include('connect.php');
$query = "SELECT * FROM bookcopy INNER JOIN bookmaster ON bookcopy.ISBN=bookmaster.ISBN";
$result = mysql_query($query) or die(mysql_error());
?>
<html>
<head>
<title>SHUBooks</title>
</head>
<body>
<div align="center"><b>Thank you for visiting SHUBooks! Please see our list of available books below:
</b><br><br>
<table border="1">
<?php
echo "<tr>";
echo "<td bgcolor=\"red\" width=\"30\">";
echo "<font color=\"white\"><b>";
echo "Back Cover";
echo "<font></b></td>";
echo "<td bgcolor=\"red\" with=\"50\">";
echo "<font color=\"white\"><b>";
echo "Book Title";
echo "<font></b></td>";
echo "<td bgcolor=\"red\" width=\"20\"><td>";
echo "</tr>";

//display books with prices
while($row = mysql_fetch_array($result))
{
extract($row);
echo "<tr>";
echo "<a href=\"details.php?bookId=".$bookId."\">";
echo "<td><em>BOOK IMAGE</em></td>";
echo "<td>";
echo "<a href=\"details.php?bookId=".$bookId."\">";
echo $bookTitle;
echo "</td>";
echo "<td>";
echo "<a href=\"details.php?bookId=".$bookId."\">";
echo "View Details</a>";
echo "</td>";
echo "</tr>";
}

?>
</table>
<?php
echo "<hr size=\"1\" color=\"red\" NOSHADE>";
echo "<form action=\"cart2.php\">";
echo "<input type=\"submit\" value=\"My Shopping Cart &gt;&gt;\">";
echo "</form>";
?>

</body>
</html>

===============================
details.php (page)
===============================

Code: Select all

<?php
if(!session_id()){
session_start();
include('connect.php');
$bookId=$_REQUEST['bookId'];
}
?>
<html>
<head>
<title>Book Details</title>
</head>
<body>
<?php
//get variable paased through the URL


//get info about the book we want
$query = "SELECT * FROM bookmaster WHERE bookId='$bookId'";
$results =mysql_query($query) or die(mysql_error());
$rows= mysql_fetch_array($results);

//$userId=$rows['userId'];
//$bookPrice=$rows['bookPrice'];
?>
</div>
<div align="center" >
<table cellpadding="5" width="80%">
<tr>
<td>BOOK IMAGE</td>
<td><strong><?php echo $rows['bookTitle']; ?></strong><br>
<?php echo $rows['description']; ?><br>
<br>Book Price: £<?php echo $rows['bookPrice']; ?><br>

<form method="POST" action="modcart.php?action=add">
<input type="hidden" name="bookId" value="<?php echo $rows['bookId'] ?>">
<input type="submit" name="Submit" value="Add to My Cart">
</form>
<form method="POST" action="cart.php">
<input type="submit" name="Submit" value="View My Cart">
</form>
</td>
</tr>
</table>
<hr width="450" color="green">
<p><a href="books.php">Go Back</a></p>
</div>
</body>
</html>

=============================
modcart.php (function)
=============================

Code: Select all

<?php
session_start();
include('connect.php');
if(isset($_POST['bookId']))
{
$bookId=$_POST['bookId'];
}
if(isset($_POST['modified_hidden']))
{
$modified_hidden=$_POST['modified_hidden'];
}

if(isset($_POST['userId']))
{
$userId=$_POST['userId'];
}

if(isset($_POST['bookPrice']))
{
$bookPrice=$_POST['bookPrice'];
}


$action= $_REQUEST['action'];
$status="RESERVED";

$query="INSERT INTO cart(userId, bookPrice, status) VALUES('$user', '$bookPrice','$status');
   $message ="<div align='center'> <strong>Item added to shopping cart.</strong></div>";

$results= mysql_query($query) or die(mysql_error());
echo $message;


include('detail.php');
?>

Return to “PHP & MySQL Security”

Who is online

Users browsing this forum: No registered users and 0 guests