0

I have a php file that includes two functions, one to connect to the database and one to set cookied for the cart. Here is that file:

<?php
$dbServer="localhost";
$dbName="test";
function ConnectToDb($server, $database){
    $s=@mysql_connect($server);
    $d=@mysql_select_db($database, $s);
    if(!$s || !$d)
    return false;
    else
    return true;
}

function GetCartId(){
    if(isset($_COOKIE["cartId"])){
    return $_COOKIE["cartId"];
}
else {
    session_start();
    setcookie("cartId", session_id(), time()+((3600*24)*30));
    return session_id();
}
}
?>

The function for connecting to the database works well in another php file for this particular program. I am having a problem with it in this file:

<?php
include("db.php");

    switch($_GET["action"]) {
            case "add_item":
            {
                    AddItem($_GET["id"], $_GET["qty"]);
                    ShowCart();
            break;
            }
            case "update_item": {
                    UpdateItem($_GET["id"], $_GET["qty"]);
                    ShowCart();
            break;
            }
            case "remove_item": {
                    RemoveItem($_GET["id"]);
                    ShowCart();
            break;
            }
            default: {
                    ShowCart();
            }
    }

    function AddItem($itemId, $qty) {
            // Will check whether or not this item
            // already exists in the cart table.
            // If it does, the UpdateItem function
            // will be called instead


            $cxn = @ConnectToDb($dbServer, $dbName);
            // Check if this item already exists in the users cart table
            $result = mysql_query("select count(*) from cs368_cart where cookieID = '" . GetCartID() . "' and itemId = $itemId");
            $row = mysql_fetch_row($result);
            $numRows = $row[0];

            if($numRows == 0) {
                    // This item doesn't exist in the users cart,
                    // we will add it with an insert query
                    @mysql_query("insert into cs368_cart(cookieID, itemId, qty) values('" . GetCartID() . "', $itemId, $qty)");
            }
            else {
                    // This item already exists in the users cart,
                    // we will update it instead

                    UpdateItem($itemId, $qty);
                    }
            }

    function UpdateItem($itemId, $qty) {
            // Updates the quantity of an item in the users cart.
            // If the qutnaity is zero, then RemoveItem will be
            // called instead

            $cxn = @ConnectToDb($dbServer, $dbName);

            if($qty == 0) {
                    // Remove the item from the users cart
                    RemoveItem($itemId);
            }
            else {
                    mysql_query("update cs368_cart set qty = $qty where cookieID = '" . GetCartID() . "' and itemId = $itemId");
                    }
            }

    function RemoveItem($itemId) {
            // Uses an SQL delete statement to remove an item from
            // the users cart
            $cxn = @ConnectToDb($dbServer, $dbName);
            mysql_query("delete from cs368_cart where cookieID = '" . GetCartID() . "' and itemId = $itemId");
    }

    function ShowCart() {
            // Gets each item from the cart table and display them in
            // a tabulated format, as well as a final total for the cart
            $cxn = @ConnectToDb($dbServer, $dbName);
            $result = mysql_query("select * from cs368_cart inner join cs368_products on cart.itemId =
                    items.itemId where cart.cookieID = '" . GetCartID() . "' order by items.itemName asc")
                     or die("Query to get test in function ShowCart failed with error: ".mysql_error());
?>

What can I do the remedy this problem? Thanks!

Improve this question
6
  • 4
    remove the @ signs, it suppresses errors, that way it will tell you what's going wrong. Commented May 11, 2012 at 18:29
  • 2
    Avoid jurassic mysql_*, use PDO Commented May 11, 2012 at 18:29
  • Do you have any idea why you use the @ symbol in PHP?! It' suppresses error messages! A good starting point to diagnosing your problem would be to remove these! Commented May 11, 2012 at 18:30
  • What exactly is the problem? You're probably not getting an error message because of the supression. Remove all the @ in your code then post the error message you get Commented May 11, 2012 at 18:30
  • You're wide open to SQL injection attacks Commented May 11, 2012 at 18:32

1 Answer 1

Reset to default
2

First: lose the @, and put some proper error handling in there (those functions return false when something goes wrong, and you can use mysql_error and mysql_errno to log it).

Second: mysql_real_escape_string and intval on those $_GET parameters before someone sneaks in some extra code through the URL.

Third: you're accessing $dbServer and $dbName as variables local to the function UpdateItem, rather than global to the script. You should only connect to the database once (in the original db.php file), and let the query functions take care of the rest (since there's only one connection, they all default to that one anyway).

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Well how would I go about the connection once and how do the query files access the db? With a mysql_select_db()
Every file that uses the database calls require_once('db.php') instead of include. db.php should begin with mysql_connect and mysql_select_db in the main script, not within another connect function. This way, as soon as the script starts, it has a database connection to use.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.