SitePoint Sponsor

User Tag List

Results 1 to 23 of 23
  1. #1
    SitePoint Addict
    Join Date
    Jul 2009
    Posts
    220
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Developing a shopping cart

    I'm building a shopping cart. Need some advice here.

    Do I use sessions to store items the buyer has selected?

    Can I start the session only when buyer adds an item to the cart. After which the session remains on while he continues to shop, till he checks out to pay (via paypal).

    Do I need to program SSL for the cart?

    How do I implement SSL into my site?

  2. #2
    SitePoint Evangelist
    Join Date
    Aug 2005
    Location
    Winnipeg
    Posts
    498
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Do I use sessions to store items the buyer has selected?
    Store the product ID's in a single COOKIE comma delimited or something.

    Can I start the session only when buyer adds an item to the cart. After which the session remains on while he continues to shop, till he checks out to pay (via paypal).
    You can start a session at anytime but it's a recommended practice to do it ASAP.

    Do I need to program SSL for the cart?
    Don't hardcode links to use HTTP and you should be fine

    How do I implement SSL into my site?
    OpenSSL or other...you just configure no special code needed really.
    The only constant in software is change itself

  3. #3
    SitePoint Addict
    Join Date
    Jul 2009
    Posts
    220
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Store the product ID's in a single COOKIE comma delimited or something.
    is cookie safe? i read that the user can change values before paying.

    Don't hardcode links to use HTTP and you should be fine
    what do you mean by that?

    OpenSSL or other...you just configure no special code needed really.
    Any examples?

  4. #4
    SitePoint Evangelist
    Join Date
    Mar 2006
    Location
    Sweden
    Posts
    451
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by resting View Post
    is cookie safe? i read that the user can change values before paying.
    Yes, that's true. To store it in a cookie, you should also store a hash of all the product ids. That way, you can detect whether the cookie has been modified by someone else than you. Something like:

    PHP Code:
    <?php
    $salt 
    'someAppSpecificSalt';
    $productIds = array(123);
    $hash sha1($salt implode(','$productIds) . $salt);

    setcookie('products'$productIds);
    setcookie('productHash'$hash);

    // And then check it later
    $productIds $_COOKIE['products'];
    $hash sha1($salt implode(','$productIds) . $salt);
    if(
    $hash != $_COOKIE['productHash']) {
        
    // Someone has changed the cookie, invalidate it
    }
    ?>

    Quote Originally Posted by resting View Post
    what do you mean by that?
    In your templates, don't do this:
    <a href="http://www.full-link-to-your-website.com/somepage.php">Some page</a>

    Instead, do this:
    <a href="/somepage.php">Some page</a>

    Or, even better:
    <a href="<?php echo url('/somepage.php'); ?>">Some page</a>

    By having an url-function, you can decide when you want https and when you don't.

  5. #5
    SitePoint Addict
    Join Date
    Jul 2009
    Posts
    220
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    i see.

    i've never used SSL before. is it activated, just by place the file i want to be secured in the https folder?

    eg: i want cart.php to be under SSL. i'll just put it in /https/cart.php and access it like href="http://www.domain.com/cart.php" ?

  6. #6
    SitePoint Evangelist
    Join Date
    Mar 2006
    Location
    Sweden
    Posts
    451
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Unfortunately, it's not quite so simple. The easiest thing would be to let someone buy/generate a cert for you and install it (most hosting companies offer these kind of things). But if you want to do it yourself, I would recommend you to look into Open SSL.

  7. #7
    <?php while(!sleep()){code();} G.Schuster's Avatar
    Join Date
    Mar 2007
    Location
    Germany
    Posts
    428
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Uh...bad recommendations here...

    Don't use cookies to store a cart!
    Why? Simple! Deactivate cookies in your browser and try to shop. No way. You see the problem?
    Store the cart contents in a session (server-side) and only store the session ID in a cookie - and implement a fallback to transmit the session ID with each request (GET/POST param) when cookies aren't available.

    You can start a session at anytime but it's a recommended practice to do it ASAP.
    Who told you that?
    At least if you want a SEO optimized cart don't start a session until it is needed.
    You don't want search engines index all pages a thousand times because they may think it's a new page due to a new session ID.
    Most engines can filter that out - but why make it harder than required?

    SSL - you don't "program" that.
    Buy a SSL cert, implement it into your webserver and you're ready to go.

    No offense - but are you sure you are really prepared to write a shopping cart?
    Dealing with real money is no fun, stick to one of the popular and well known carts, learn programming from ground up and then, and only then, start implementing your own.

  8. #8
    SitePoint Evangelist
    Join Date
    Mar 2006
    Location
    Sweden
    Posts
    451
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by G.Schuster View Post
    Uh...bad recommendations here...

    Don't use cookies to store a cart!
    Why? Simple! Deactivate cookies in your browser and try to shop. No way. You see the problem?
    Store the cart contents in a session (server-side) and only store the session ID in a cookie - and implement a fallback to transmit the session ID with each request (GET/POST param) when cookies aren't available.
    Not sure I agree about that one. A shopping cart might contain sensitive information, so I'm not sure if I would fall back on propagating the session id over the URL.

  9. #9
    SitePoint Zealot
    Join Date
    Nov 2008
    Location
    UK
    Posts
    163
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Why use sessions/cookies at all? Why not put selected products straight into a mysql table?

  10. #10
    <?php while(!sleep()){code();} G.Schuster's Avatar
    Join Date
    Mar 2007
    Location
    Germany
    Posts
    428
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by treacle0996 View Post
    Why use sessions/cookies at all? Why not put selected products straight into a mysql table?
    And how would you associate the rows with exactly that customer?
    That's what sessions are for...

    Quote Originally Posted by wysiwyg View Post
    A shopping cart might contain sensitive information, so I'm not sure if I would fall back on propagating the session id over the URL.
    A cookie is in no way more secure then passing the ID through GET or POST.
    It can be intercepted exactly the same way as GET/POST params, so this is an absolute misbelief that cookies are more secure.

  11. #11
    SitePoint Zealot
    Join Date
    Nov 2008
    Location
    UK
    Posts
    163
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    store the session id in the basketheader table, and all the basketline records (selected items) link to that.

  12. #12
    <?php while(!sleep()){code();} G.Schuster's Avatar
    Join Date
    Mar 2007
    Location
    Germany
    Posts
    428
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You still have to transmit the session ID with each request, so why use a DB table if you can simply store it in the global $_SESSION array?
    The session is still serverside, so the mysql solution is not more secure then storing it in the session file.

  13. #13
    SitePoint Zealot
    Join Date
    Nov 2008
    Location
    UK
    Posts
    163
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    So there is no benefit to using tables?

    And the drawbacks would be, what, processing speed & disk space ?

  14. #14
    <?php while(!sleep()){code();} G.Schuster's Avatar
    Join Date
    Mar 2007
    Location
    Germany
    Posts
    428
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The only benefit would be that you could implement a "session view" e.g. into the admin area.

    Real drawbacks (and benefits) don't exist.
    If you use sessions "the normal way" (without a DB backend) there's always a session file server side - so why not use it?
    No need to complicate it, work according to the K.I.S.S. principle - "keep it simple, stupid"

  15. #15
    SitePoint Evangelist
    Join Date
    Mar 2006
    Location
    Sweden
    Posts
    451
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by G.Schuster View Post
    A cookie is in no way more secure then passing the ID through GET or POST.
    It can be intercepted exactly the same way as GET/POST params, so this is an absolute misbelief that cookies are more secure.
    Absolutely, but with a cookie, you don't have the risk of people accidentally sending links with session ids in them, or that links with session ids are stored in the browser history.

  16. #16
    <?php while(!sleep()){code();} G.Schuster's Avatar
    Join Date
    Mar 2007
    Location
    Germany
    Posts
    428
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    That's no problem.
    Check the browser agent and the IP: missmatch - session killed - redirect with new SID

  17. #17
    SitePoint Guru
    Join Date
    Mar 2006
    Posts
    701
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I have done some e-shops and I used this, a session cart.
    Now I am in the way to create a class based to this.

  18. #18
    SitePoint Addict amy.damnit's Avatar
    Join Date
    Sep 2009
    Posts
    336
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by G.Schuster View Post
    You still have to transmit the session ID with each request, so why use a DB table if you can simply store it in the global $_SESSION array?
    The session is still serverside, so the mysql solution is not more secure then storing it in the session file.
    I'm no expert on this, but I have read that is not true.

    For even more security, you should use Sessions and a Database in tandem.

    If the OP Google's this it is fairly well documented.

    I believe the logic is that Session data site out in the open, in plain text, on your server. And even if you have a hardened, dedicated server, that is still poor data security management...

    But it sounds like the OP needs to really brush up before undertaking E-commerce. It is a SERIOUS topic that requires the best approaches, IMO.

    Good luck,


    Amy

  19. #19
    SitePoint Member
    Join Date
    Oct 2009
    Posts
    21
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes you will need to use sessions and yes you will need an SSL Certificate. Honestly, whenever I need a shopping cart system I just use Shopify.

  20. #20
    SitePoint Zealot Amenthes's Avatar
    Join Date
    Oct 2006
    Location
    Bucharest, Romania
    Posts
    143
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by G.Schuster View Post
    That's no problem.
    Check the browser agent and the IP: missmatch - session killed - redirect with new SID
    What if the attacker previously sends a link to his evil server which logs the
    user agent? And what if both are behind the same IP?

    How many people do actually turn cookies off? Should we really care about
    them in cases were we want increased security? I don't think so.

    Quote Originally Posted by G.Schuster View Post
    A cookie is in no way more secure then passing the ID through GET or POST.
    It can be intercepted exactly the same way as GET/POST params, so this is an absolute misbelief that cookies are more secure.
    Indeed, a cookie does not guarantee total security, but it is more secure than
    GET at least. You can't send cookies with the URL you post on Facebook, let's
    say. And if anyone can read/modify cookie data, then you probably have XSS
    problems.
    I'm under construction | http://igstan.ro/

  21. #21
    SitePoint Evangelist
    Join Date
    Mar 2006
    Location
    Sweden
    Posts
    451
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by G.Schuster View Post
    That's no problem.
    Check the browser agent and the IP: missmatch - session killed - redirect with new SID
    Yes, but there are still problems with that. Another person can have the same browser version, and my IP might change if I connect to a VPN, so I would get logged out just because of that and loose my cart.
    Another problem are networks with only one external IP. Let's say that two colleagues sit in the same network with the same IP, and because of company rules, they have the same installation of the same browser. With just checking IP and browser, they would be identified as the same person.

  22. #22
    SitePoint Addict
    Join Date
    Jul 2009
    Posts
    220
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    i've decided to use $_SESSION to store the user's selection. Only after the confirmation of payment is received, will the database be updated.

    Next question, will the $_SESSION data still be available when the user makes payment on another site (paypal) and comes back?

    Or better yet, will the $_SESSION data still be available even when the user doesn't come back? Meaning upon receiving confirmation from paypal, I will update all $_SESSION into database?

  23. #23
    SitePoint Guru
    Join Date
    Mar 2006
    Posts
    701
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I delete all cart related information when user make the order (paypal etc).
    The problem is what is doing if user does not come from paypal,so you do not know if he payed-is 'active' the order?-you may delete the order and just update the db with the paypal status.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •