SitePoint Sponsor

User Tag List

Results 1 to 11 of 11
  1. #1
    SitePoint Evangelist cronsrcs's Avatar
    Join Date
    Oct 2004
    Location
    UK
    Posts
    500
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Do I need a shooping cart and sessions?

    I am creating PHP/MySQL app that allows users to book accommodation.

    You can view a demo of the prototype at www.silver-rocket.com/villa/site/index.htm - no need to enter any input, just click the search and then next btns

    It involves a search form where users enter their arrival and departure date and posts to a page that displays all available dates in that date range with chexkbox next to it.......

    The user then confirms the dates they select on the next page and then they move to a page where personal details are entered and confirmed on the following screen.

    My question is, am i going to have to create a full blown shopping cart for this? Or will one of the following work:

    a) Use hidden variables to pass the associative array of dates/price as well as hidden vars to pass the customer name, email, phone num to the final checkout page, where the user will be redirected to a 3rd party payment gateway..........

    b) Use hidden variables for the name, email and phone and use SESSIONS vars to store an array of dates/prices

    Are there any disadvantages of doing it with hidden vars from a security pov?

    Thanks

  2. #2
    SitePoint Evangelist Will Kelly's Avatar
    Join Date
    May 2005
    Location
    London
    Posts
    475
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I think there is little point having a 'shopping cart' if you only have one type of product (or only 1 product) and the customer is very likely only going to purchase one thing at a time. It just adds unnecessary complication.

    Using session vars could potentially allow someone to come back to a page and complete their purchase (ala a shopping cart), but a session will automatically time out after 30 mins, you could also use this method to pass data rather than hidden vars.

    If you wanted to pass info in hidden fields use serialize() and base64_encode() to make it safer and easier. (note this isn't encryption just encoding).

  3. #3
    SitePoint Evangelist cronsrcs's Avatar
    Join Date
    Oct 2004
    Location
    UK
    Posts
    500
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Will,

    thanks heaps for the prompt reply

    So do you think that it would be ok to just pass the users name, email, phone and an associative array of dates selected and price for the date in hidden vars?

    I read somewhere about serialise and then the reverse (forgotten what its callled) in order to pass an associative array as a hidden variable......

    So in your opinion is there any security advantage (or other advantage) of using session vars to pass the values vs hidden vars?

    Yes they are only going to be able to make one booking at a time, but it will contain at least 3 dates.....My initial idea was hidden vars - then i thought sessions etc - but perhaps i am just overcomplicating it??

    Did you have a look at the process in my prototype by any chance?

  4. #4
    does not play well with others frezno's Avatar
    Join Date
    Jan 2003
    Location
    Munich, Germany
    Posts
    1,391
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    As Will already mentioned, a shopping cart probabely causes more confusion and unnecessary overhead then it's worth.
    Altough i would put all customer details into a session variable. That way you can assign all those details to the customer.
    imho sessions make this much easier - and safer.
    We are the Borg. Resistance is futile. Prepare to be assimilated.
    I'm Pentium of Borg.Division is futile.Prepare to be approximated.

  5. #5
    SitePoint Evangelist cronsrcs's Avatar
    Join Date
    Oct 2004
    Location
    UK
    Posts
    500
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for that Frezno.

    I assume that I dont need to put the selected dates/price into session var as it is not really sensitive data?

    Any insight into the process of passing an associative array as a hidden var with serialize etc?

    thanks again

  6. #6
    does not play well with others frezno's Avatar
    Join Date
    Jan 2003
    Location
    Munich, Germany
    Posts
    1,391
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    well, it's not a matter of whether only sensitive data should be put into sessions.

    imho it's much easier to add eg all user data into a session where they usually don't get lost, can't (easily) get manipulated and are easy to maintain.
    That's especially true if the customers browses through many pages,
    eg filling in his data, then goes back to your whatever you offer and then looks at the contact form just to come back to checking out.
    To be on the safe side in such a case i'd use sessions - although it's not necessarily necessary

    But that's my personal 'gusto'.
    If you're feeling more happy with a different solution, just go for it.
    We are the Borg. Resistance is futile. Prepare to be assimilated.
    I'm Pentium of Borg.Division is futile.Prepare to be approximated.

  7. #7
    SitePoint Evangelist cronsrcs's Avatar
    Join Date
    Oct 2004
    Location
    UK
    Posts
    500
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Frezno,

    yes thanks for that.

    I didnt mention that I am going to have my booking in a new window with no toolbar etc and disabling right click etc.....so the user wont easily be navigating off to other pages in the site - but i think that i will take ur advice and store the user details in session variables.

    Should I be using a session variable for each of the bits of data - eg name, email, phone or can i do with one array?

    Sorry I havent used sessions before, so this will be new to me - hence all of the seemingly obvious qs!

  8. #8
    SitePoint Evangelist Will Kelly's Avatar
    Join Date
    May 2005
    Location
    London
    Posts
    475
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    if you want to pass variables do it like this:

    PHP Code:
    //for the form
    $encoded=base64_encode(serialize($array));

    //to extract at the other end
    $array=unserialize(base64_decode($array)); 
    If you don't want to use sessions but want to be more secure you could store all data in a db and only pass a hash for the key to their data

    PHP Code:
    $hash=md5(uniqid(rand())); 
    Will create a 32 char string hash not reliant on sessions.

  9. #9
    SitePoint Evangelist cronsrcs's Avatar
    Join Date
    Oct 2004
    Location
    UK
    Posts
    500
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Will thanks for the reply - i now need to make a decision as to whether to go for user details in session vars and the dates selected encoded and sent as hidden vars as you demonstrated above, or whether to just go for hidden vars alround. - the info being passed between pages is only name, email and phone, so the security is not a major issue.

    I suppose that I was more concerned about the user navigating back and forth etc, but seeing that the process is pretty much from a to b - eg select the dates and then continue to check out, i realise that i dont need the cart etc....

    Does this sound like a logical idea?

    Sorry to keep on questioning everyone's replies - but i really want to get this right - i am trying to get into the habit of coding without doing workarounds etc to make code work!!haha

  10. #10
    SitePoint Evangelist Will Kelly's Avatar
    Join Date
    May 2005
    Location
    London
    Posts
    475
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You might want to create a progress bar type thing to show how far they are in the booking process. ie. Select - Details - Checkout. You could allow them to navigate back to these points (though it adds more complication).

    During a process that relies on posts it is harder for the user to go back. However if they do you need to ensure that nothing goes wrong (ie resubmitting just creates a new order, uses the existing one or makes them start again).

  11. #11
    SitePoint Evangelist cronsrcs's Avatar
    Join Date
    Oct 2004
    Location
    UK
    Posts
    500
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes I have a progree image that shows the user which step they are at in the process - but does not let them navigate back...

    I have back links on the pages where I want to allow the user to go back. I dont insert the order into the db until they have confirmed the dates and their personal details. They are then provided with a btn which sends them off to the 3rd party payment gateway..

    I have also found a method whereby i will store a hidden var on the form that is a 32 character stamp that is unique each time the form loads. This will be stored with the order in the db and each time we try to insert we will make sure that this stamp is not already in the db, if it is, then they user is trying to submt the same form twice and we wont let them - this should be sufficient to stop the user submitting the form more than once..


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •