Once the customer is finished shopping and is ready to purchase items, he or she will click a button on the shopping cart page that will go to checkout.php (over HTTPS). This page needs to:
1. Take the customer’s shipping information.
2. Validate the provided data.
3. If valid, store the data and send the customer on to the next step in the checkout process.
4. If invalid, redisplay the form with errors.
In terms of displaying and validating the form, checkout.php behaves like register.php from Chapter 4. But there are some additional considerations that make this script more complicated than that one. Let’s first define the PHP script, then the two view files it uses.
ptg
Creating the PHP Script
The PHP script should be accessed at least twice: originally as a GET request, at which point the form should be loaded, and as a POST request, when the form is submitted. The latter action demands about 100 lines of validation, which is the bulk of the script.
Unlike the shopping area of the Web site, the checkout process will use PHP sessions. This is necessary because multiple scripts will all need access to some of the same information. By default, PHP will store the session identi- fier in a cookie. You might not be aware of this, but with respect to cookies, http://www.example.com and https://www.example.com are separate realms, meaning that a cookie sent over HTTP is available only to pages accessed via HTTP (and the same goes for HTTPS). I mention this now, because the sessions used by the checkout process will not be available on the shop- ping side of the site, and the cookie used on the shopping side of the site is not available in the checkout process.
1. Create a new PHP script in your text editor or IDE to be named checkout.php and stored in the Web root directory.
2. Include the configuration file:
<?php
require ('./includes/config.inc.php');
3. Check for the user’s cart ID, available in the URL:
if ($_SERVER['REQUEST_METHOD'] == 'GET') { if (isset($_GET['session'])) {
$uid = $_GET['session'];
In order to access the customer’s shopping cart, this script needs the user’s shopping cart session ID, stored in a cookie in the user’s browser.
However, that cookie was sent over HTTP, meaning that it’s not available to checkout.php, because this script is being accessed via HTTPS. The remedy is to pass the cookie value to this script when the user clicks the checkout button on cart.php. This script first confirms that a session value was passed along in the URL. If so, it’s assigned to the $uid variable for later use.
4. Use the cart ID as the session ID, and begin the session:
session_id($uid);
session_start( );
The shopping part of the site purposefully does not use sessions (in order to give longevity to the customer’s cart and wish list), but the checkout process will. For continuity, and because the shopping cart ID will be
tip
The .htaccess modifications in Chapter 7, “Second Site: Struc- ture and Design,” ensure that checkout.php is accessible only over HTTPS.
tip
When the user returns to the shopping side of the site, the wish list and cart cookie will still be usable, even after check- ing out.
ptg required by the checkout process, the user’s existing cart ID will be used as
the session ID. This can be arranged by providing a session ID value to the session_id( ) function prior to calling session_start( ).
The net result will be two cookies in the user’s browser: SESSION, sent over HTTP, and PHP_SESSION_ID, sent over HTTPS. Both will have the same value.
5. If no session value was present in the URL (for a GET request), redirect the user:
} else {
$location = 'http://' . BASE_URL . 'cart.php';
header("Location: $location");
exit( );
}
There’s no point in checking out if there’s nothing to purchase. And without a cart session ID, there will be nothing to purchase! In that case, the cus- tomer is redirected back to cart.php, over HTTP. That page will display the checkout button only if the cart is not empty.
6. If the request method isn’t GET, start the session and retrieve the session ID:
} else { // POST request.
session_start( );
$uid = session_id( );
}
This else clause will apply when the customer submits the form for valida- tion. In that case, the session needs to be started. The session ID would have already been set the first time this script was accessed, so that value can be retrieved (by calling session_id( ) with no arguments) to be used later in this script.
7. Include the database connection and create an array for validation errors:
require (MYSQL);
$shipping_errors = array( );
8. If the form was submitted, validate the first and last names:
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
if (preg_match ('/^[A-Z \'.-]{2,20}$/i', $_POST['first_name'])) {
$fn= addslashes($_POST['first_name']);
} else {
$shipping_errors['first_name'] = 'Please enter your first name!';
}
ptg if (preg_match ('/^[A-Z \'.-]{2,40}$/i', $_POST['last_name'])) {
$ln = addslashes($_POST['last_name']);
} else {
$shipping_errors['last_name'] = 'Please enter your last name!';
}
The validation routines for the customer’s first and last names match those from register.php in Chapter 4. To make the values safe to use in the stored procedure call, each value is run through addslashes( ).
If there’s a chance that Magic Quotes may be enabled on your server, you’ll also need to apply stripslashes( ) prior to validation:
if (get_magic_quotes_gpc( )) {
$_POST['first_name'] = stripslashes($_POST['first_name']);
// Repeat for other variables that could be affected.
}
If Magic Quotes is enabled, a valid last name, such as O'Toole, will become O\'Toole, which won’t pass the regular expression test. But when the stored procedure is invoked, the query will be CALL add_customer('$fn', '$ln', . . .), so addslashes( ) must be applied to the query data to prevent the apostrophe in O'Toole from breaking that procedure call: CALL add_customer('Peter', 'O'Toole', . . .) 9. Validate the street addresses:
if (preg_match ('/^[A-Z0-9 \',.#-]{2,80}$/i', $_POST['address1'])) {
$a1 = addslashes($_POST['address1']);
} else {
$shipping_errors['address1'] = 'Please enter your street address!';
}
if (empty($_POST['address2'])) {
$a2 = NULL;
} elseif (preg_match ('/^[A-Z0-9 \',.#-]{2,80}$/i', $_POST['address2'])) {
$a2 = addslashes($_POST['address2']);
} else {
$shipping_errors['address2'] = 'Please enter your street address!';
}
Addresses are trickier to validate because they can contain many characters besides alphanumeric ones. The regular expression pattern allows for any letter, any number, a space, an apostrophe, a comma, a period, the number sign, and a dash.
The second street address (for longer addresses) is optional, so it’s only validated if it’s not empty.
tip
As a formality, you could add isset( ) to each validation conditional, as in if (isset($_POST['var'])
&& preg_match(…
ptg 10. Validate the city:
if (preg_match ('/^[A-Z \'.-]{2,60}$/i', $_POST['city'])) {
$c = addslashes($_POST['city']);
} else {
$shipping_errors['city'] = 'Please enter your city!';
}
11. Validate the state:
if (preg_match ('/^[A-Z]{2}$/', $_POST['state'])) {
$s = $_POST['state'];
} else {
$shipping_errors['state'] = 'Please enter your state!';
}
There’s no need to apply either stripslashes( ), with Magic Quotes enabled, or addslashes( ) to this variable, because a valid value can con- tain exactly two capital letters.
12. Validate the zip code:
if (preg_match ('/^(\d{5}$)|(^\d{5}-\d{4})$/', $_POST['zip'])) {
$z = $_POST['zip'];
} else {
$shipping_errors['zip'] = 'Please enter your zip code!';
}
The zip code can be in either the five digit or five plus four format (12345 or 12345-6789).
13. Validate the phone number:
$phone = str_replace(array(' ', '-', '(', ')'), '', $_POST['phone']);
if (preg_match ('/^[0-9]{10}$/', $phone)) {
$p = $phone;
} else {
$shipping_errors['phone'] = 'Please enter your phone number!';
}
The phone number must be exactly ten digits long, which is easy to check.
But as users commonly enter phone numbers with and without spaces, hyphens, and parentheses, any of those characters that may be present are first removed via str_replace( ). Its first argument is an array of values to find—space, hyphen, opening parenthesis, closing parenthesis; its second argument is the replacement value (here, an empty string).
tip
All address and phone number validation routines would need to be altered if the site is serving non-U.S. customers.
tip
The str_replace( ) function is a faster alternative to preg_replace( ), usable when fancy pattern matching isn’t required.
ptg 14. Validate the email address:
if (filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) {
$e = $_POST['email'];
$_SESSION['email'] = $_POST['email'];
} else {
$shipping_errors['email'] = 'Please enter a valid email address!';
}
Thanks to the filter_var( ) function, this is the most straightforward of all these validation routines. If your PHP installation does not support the Filter extension, you can search online for the Perl-Compatible Regular Expression (PCRE) pattern to use instead.
Unlike every other variable, the customer’s email address will be stored automatically in the session so that a receipt can be sent to the customer once the order has gone through.
15. Store the data in the session if the shipping information matches the billing:
if (isset($_POST['use']) && ($_POST['use'] == 'Y')) {
$_SESSION['shipping_for_billing'] = true;
$_SESSION['cc_first_name'] = $_POST['first_name'];
$_SESSION['cc_last_name'] = $_POST['last_name'];
$_SESSION['cc_address'] = $_POST['address1'] . ' '
➥. $_POST['address2'];
$_SESSION['cc_city'] = $_POST['city'];
$_SESSION['cc_state'] = $_POST['state'];
$_SESSION['cc_zip'] = $_POST['zip'];
}
The checkout form will present the customer with a check box to select if they want the shipping information to be used as the billing address, too (Figure 10.8). In that case, the customer’s name and address need to be stored in the session for use in the next PHP script. Also, a value is stored in the session indicating this choice.
Authorize.net takes the customer’s street address as a single item, so the two potential street addresses are concatenated together in the session.
Figure 10.8
note
Fraudulent credit card charges often use different shipping and billing addresses. If your site allows for this, make sure your payment gateway has stringent fraud-protection tools.
ptg 16. If no errors occurred, add the user to the database:
if (empty($shipping_errors)) {
$r = mysqli_query($dbc, "CALL add_customer('$e', '$fn', '$ln', '$a1',
➥'$a2', '$c', '$s', $z, $p, @cid)");
To add the customer to the database, the add_customer( ) stored proce- dure is invoked. The first nine arguments are the PHP variables assigned during the validation process. The tenth is a MySQL user-defined variable.
This will match up with the outbound parameter in the stored procedure, to be further explained in the next step.
17. If the procedure worked, retrieve the customer ID:
if ($r) {
$r = mysqli_query($dbc, 'SELECT @cid');
if (mysqli_num_rows($r) == 1) {
list($_SESSION['customer_id']) = mysqli_fetch_array($r);
To get the customer ID generated by the stored procedure, a second query must select @cid. This query is run, then the results of the query are fetched into $_SESSION['customer_id']. If you find this concept to be confusing, it may help to think about this in MySQL terms, as if the proce- dure were being called from the command-line mysql client (Figure 10.9), not a PHP script…
Figure 10.9
The first query itself is a call to a MySQL stored procedure. When the query is executed, a reference to a user-defined variable—@cid—is created. This is a variable that exists within MySQL, but outside of the stored procedure (variables in MySQL outside of stored procedures begin with @). Within the stored procedure, a value is assigned to the internal variable cid, as explained earlier in the chapter. This variable is associ- ated with @cid, thanks to the procedure call and the outbound argument.
When the procedure call is complete, @cid still exists (because it’s outside of the procedure), but will now have a value. But @cid only exists within the MySQL world; to get it to a PHP script, it must be selected and fetched.
ptg 18. Redirect the customer to the billing page:
$location = 'https://' . BASE_URL . 'billing.php';
header("Location: $location");
exit( );
At this point, the customer can be sent to billing.php where the billing information will be requested and processed.
19. If there was a problem, indicate an error:
} }
trigger_error('Your order could not be processed due to a system error.
➥We apologize for the inconvenience.');
The two closing brackets complete the two query-related conditionals. If the customer got to this point in the script, it means that they did every- thing right but the system is not working. In that case, you should log the error, email the administrator—pretty much panic—but let the customer know that a problem occurred through no fault of their own. The site’s support team or administrator would be able to contact the customer immediately, as both the customer’s email address and phone number would be stored in the error log.
20. Complete the $shipping_errors and request method conditionals:
} // Errors occurred IF.
} // End of REQUEST_METHOD IF.
This concludes the end of the form validation process. The rest of the script will apply to the initial GET request. It will also apply should there be errors in the form data after the POST request.
21. Include the header file:
$page_title = 'Coffee - Checkout - Your Shipping Information';
include ('./includes/checkout_header.html');
Note that this script includes the new checkout_header.html file, not the original header.html.
22. Retrieve the shopping cart contents:
$r = mysqli_query($dbc, "CALL get_shopping_cart_contents('$uid')");
The customer’s shopping cart ID is necessary at this point in order to retrieve and later display what the customer is purchasing. This is the same stored procedure used by cart.php in Chapter 9, “Building a Shopping Cart.”
ptg 23. Complete the script:
if (mysqli_num_rows($r) > 0) { include ('./views/checkout.html');
} else { // Empty cart!
include ('./views/emptycart.html');
}
If the stored procedure returned some records, then the checkout.html view file will be included (this will be a new file). If the stored procedure did not return any records, the emptycart.html file will be included instead. It was defined in Chapter 9. Its inclusion means that the customer will not be able to continue the checkout process, which is entirely appropriate.
24. Finish the page:
include ('./includes/footer.html');
?>
The checkout process scripts include the standard footer.
25. Save the file.
Creating the View Files
The checkout.php script uses three view files:
■ checkout.html
■ checkout_cart.html
■ emptycart.html
The first file is included if there are products in the shopping cart. The sec- ond file is included by the first (which is why there’s no reference to it in checkout.php). The third has already been defined.
Let’s write checkout_cart.html first.
CREATING CHECKOUT_CART.HTML
The checkout_cart.html view file displays the contents of the cart—what the customer is actually about to purchase (Figure 10.10). It’s defined as its own script so that it can be used by both of the first two steps of the checkout process. Unlike the cart.html view file, this one doesn’t allow the customer to update the quantities, remove items, or move items to the wish list. More importantly, this script needs to watch out for situations in which the customer
ptg is attempting to purchase an item that is insufficiently stocked. In such cases,
the original shopping cart page recommends that the customer update the quantity of the item or move it to their wish list (see Figure 9.6). This script will forcibly move the item to the wish list if it’s still in the cart but can’t be fulfilled.
Figure 10.10
1. Create a new HTML page in your text editor or IDE to be named checkout_cart.html and stored in the views directory.
2. Begin the HTML box and the cart table:
<div class="box alt"><div class="left-top-corner"><div class=
➥"right-top-corner"><div class="border-top"></div></div></div>
➥<div class="border-left"><div class="border-right"><div class=
➥"inner">
<h2>Your Shopping Cart</h2>
<table border="0" cellspacing="8" cellpadding="6"
➥width="100%">
<tr>
<th align="center">Item</th>
<th align="center">Quantity</th>
<th align="right">Price</th>
<th align="right">Subtotal</th>
</tr>
3. Begin a PHP block and include the product functions file:
<?php
include ('./includes/product_functions.inc.php');
The product_functions.inc.php script was begun in Chapter 8 and expanded in Chapter 9. It defines a couple of necessary functions for displaying the shopping cart.
4. Initialize a variable to represent the order total:
$total = 0;
ptg 5. Create an array for identifying problematic items:
$remove = array( );
With the site as written, it’s possible that the customer is still trying to purchase items that aren’t available. There are a couple of ways you can handle this. First, you could remove those items from the cart and place them in the wish list, as this page will do. Alternatively, you could allow the sale to go through with the thinking that the item would be available relatively soon. The risk of such a policy depends upon what’s being sold and how readily it’s available. This site will not actually charge a customer’s card until a product ships, so allowing an order to go through that may not be fulfilled at that moment is not fraudulent.
In any case, the $remove array will be used to store insufficiently stocked products found in the customer’s cart so that they can later be removed.
6. Fetch each product:
while ($row = mysqli_fetch_array($r, MYSQLI_ASSOC)) {
7. If the quantity of the item in the cart is greater than the stock on hand, make a note of the item:
if ($row['stock'] < $row['quantity']) {
echo '<tr class="error"><td colspan="4" align="center">There are
➥only ' . $row['stock'] . ' left in stock of the ' . $row['name'] . '. This
➥item has been removed from your cart and placed in your wish list.
➥</td></tr>';
$remove[$row['sku']] = $row['quantity'];
If the store does not have enough of an item in stock to cover the number in the cart, a message is added to the table indicating the problem to the cus- tomer (Figure 10.11). Then, the problematic item is added to the $remove array, using the syntax SKU => quantity.
Figure 10.11 tip
You could also write logic that will sell a partial order:
If the customer wants four of something and only three are available, sell three and move one to the wish list. Or the site could ask the customer how they want the item to be handled.