PHP Shopping Cart

[Twinkie]

I hit a wall where I cannot figure out what is wrong with the block of code in this page. It is a simple shopping car script that when given the correct URI, it will add an item to the shopping cart.

PHP Code:

session_start();

$query = "SELECT ID FROM Items WHERE ID = " . mysqli_real_escape_string($con,$_GET["id"]);

if ($_GET["do"] === "add" && @mysqli_query($con,$query)) {
    if (isset($_SESSION["cart_id"])) {
        if (array_search($_GET["id"],unserialize($_SESSION["cart_id"])) === false) {
            $_SESSION["cart_id"] = serialize(array_push(unserialize($_SESSION["cart_id"]) , $_GET["id"] ));
            $_SESSION["cart_qty"] = serialize(array_push(unserialize($_SESSION["cart_qty"]),1));
        }
    }
    else {
        $_SESSION["cart_id"] = serialize(array($_GET["id"]));
        $_SESSION["cart_qty"] = serialize(array(1));
    }
} 


The code on lines 8 and 9 are the problem, and its doing something weird to the arrays. Whats wrong with it or is there a better cod snippet I should be using? :dunno:

If you visit the page, for diagnostic purposes, the shopping cart is printed to the screen. Adding ?do=clear to the URL will unset the session data.

[misson]

array_push returns the new array size, not a new array. That's what's replacing the serialized arrays in the session variables with serialized ints.

You don't have to serialize session data. PHP will handle that for you. Also, you should use associative arrays to store cart data. It's much more efficient (array_search is O(n), while associative arrays are O(log(n)) for tree implementations and O(1) for hash implementations).

PHP Code:

session_start();
if (!isset($_SESSION["cart"])) {
    $_SESSION["cart"] = array();
}
// itemExists() should be in the file that handles DB access
function itemExists($id) {
    $query = $con->prepare("SELECT ID FROM Items WHERE ID=?");
    $query->bind_param('i', $itemID);
    return @$query->execute() && $query->num_rows;
}

$itemID=isset($_GET["id"])  ? $_GET["id"]  : -1;
$qty   =isset($_GET["qty"]) ? $_GET["qty"] :  1;

if (itemExists($itemID)) {
    switch ($_GET['do']) {
    case 'add':
        if (isset($_SESSION["cart"][$itemID])) {
            $_SESSION["cart"][$itemID] += $qty;
        } else {
            $_SESSION["cart"][$itemID] = $qty;
        }
        break;
    case 'remove':
        unset($_SESSION["cart"][$itemID]);
        break;
    // other actions ...
    default: // unknown action.
        echo "Error: I don't know what you want me to do. What is '$_GET[do]'?";
        break;
    }
} 


[Twinkie]

My PHP book says specifically to serialize the array? Well not having to makes the scripts that much easier.

Thanks a lot misson!

[misson]

As long as you're using PHP sessions, you don't need to serialize or unserialize data, even if you're using user sessions. You'll only need serialize & unserialize if you storing persistent data outside of PHP sessions.

When does the book say to use serialize/unserialize?

[Twinkie]

Here is the example:

PHP Code:

<?php
session_start();
?>
<html>
<head>
<title>Storing an array with a session</title>
</head>
<body>
<h1>Product Choice Page</h1>
<?php
if (isset($_POST["form_products"])) {
    if (!empty($_SESSION["products"])) {
        $products = array_unique(
        array_merge(unserialize($_SESSION["products"]),
        $_POST["form_products"]));
        $_SESSION["products"] = serialize($products);
    } else {
        $_SESSION["products"] = serialize($_POST["form_products"]);
    }
    echo "<p>Your products have been registered!</p>";
}
?>
<form method="POST" action="<?php echo $_SERVER["PHP_SELF"]; ?>">
<P><strong>Select some products:</strong><br>
<select name="form_products[]" multiple="multiple" size="3">
<option value="Sonic Screwdriver">Sonic Screwdriver</option>
<option value="Hal 2000">Hal 2000</option>
<option value="Tardis">Tardis</option>
<option value="ORAC">ORAC</option>
<option value="Transporter bracelet">Transporter bracelet</option>
</select>
<P><input type="submit" value="choose"/></p>
</form>
<p><a href="session1.php">go to content page</a></p>
</body>
</html>

[misson]

Either the book was written for a very old version of PHP or the author doesn't know what zhe's talking about in that example.

[Twinkie]

No, it was written for Sams publishing which has a strictly short format. He probably wanted to cram as many functions in that book as possible

[misson]

So it's just a restricted format leading to poor technical writing? The author shouldn't have written a misleading example, as it will be copied and live on in reader's code (Joshua Bloch mentions this in the context of API design; if the google video link doesn't work, try youtube). Misusing functions is arguably worse than not introducing them, as it provides information that needs to be unlearned, and learning is easier than unlearning. serialize/unserialize are useful for storing PHP data outside of PHP, such as in a database. If the author didn't want to include such a scenario, or couldn't find a way to include it given format restrictions, he could have introduced serialize/unserialize without a usage example, which wouldn't be as useful for the reader but would at least wouldn't have been misleading. At the very least, he could have written a note explaining that the example was merely an illustration and you don't need to serialize or unserialize PHP session data in production code. This is by far the worst option, as someone skimming the book for code samples would miss the caveat.

I'm being rather hard on the author in this one limited case, true. I imagine the rest of the book is better written.

[Twinkie]

Yes, I believe you were right. The book did not include any real description of what the function was used for, and I did assume it was a necessary part of the script. The book however is written very well and managed to introduce me to the concepts of Apache, MySQL and PHP in one 564 page book. THanks for your correction to the book, as well as your example of OOP =)

[misson]

You're very welcome, except I don't know where I gave an OOP example. It's all procedural programming, as far as I can see.