Results 1 to 7 of 7
  1. #1
    Join Date
    Mar 2004
    Location
    NOLA
    Posts
    41

    Multiple step checkout PHP

    I am building a 5 step checkout process. As a user browses the site they select a service and proceede to the checkout process. The first step is to select the date of service. The second step is to enter their contact info and create an account. The third step is to enter their billing information. On the fourth step they review and click a button to process their order. Their information is then sent to authorize.net and the merchant account. I get the values returned and provide a confirmation number and printable receipt.

    My problem is that I'm not sure how to send the data through the steps. In my first mockup for my client i just posted the values from one page to the next and included hidden fields for the previous step values. Now that I am using php to do error checking throughout the forms, I've hit a brick wall. Ive gone through and created seperate files containing the error checking and have been testing the errorchecking by including the file and posting the form to its respective page.
    I wish they would let me put all the steps on one page

    How should I securely pass the values in the forms through each step ??? Should I include the forms in one page using if statements and process the errorchecking in seperate files. Store the data in sessions? Cookies?

    I do have ssl installed. Thanks in advance!

  2. #2
    Join Date
    Mar 2004
    Location
    NOLA
    Posts
    41

    I'm a beginner so please bear with me

    Here is some of the code:

    Step 1
    PHP Code:
    <? include(datechecker.php); ?>

    <form name="dateSelect" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
    <table width="300" border="0" align="center" cellpadding="8" cellspacing="0">
      <tr>
        <td><table width="300" border="0" align="center" cellpadding="5" cellspacing="0" <? if ($date == '0') { print "class='errorBorder'"; } ?>>
          <? print $error_date_selection?>
          <tr>
            <td><select name="date11_month">
              <option value="0"> </option>
                  <option value="01" <? if (strtolower($_POST['date11_month']) == '01') echo ' selected="selected"';?>>January</option>
                  <option value="02" <? if (strtolower($_POST['date11_month']) == '02') echo ' selected="selected"';?>>February</option>
                  <option value="03" <? if (strtolower($_POST['date11_month']) == '03') echo ' selected="selected"';?>>March</option>
                  <option value="04" <? if (strtolower($_POST['date11_month']) == '04') echo ' selected="selected"';?>>April</option>
                  <option value="05" <? if (strtolower($_POST['date11_month']) == '05') echo ' selected="selected"';?>>May</option>
                  <option value="06" <? if (strtolower($_POST['date11_month']) == '06') echo ' selected="selected"';?>>June</option>
                  <option value="07" <? if (strtolower($_POST['date11_month']) == '07') echo ' selected="selected"';?>>July</option>
                  <option value="08" <? if (strtolower($_POST['date11_month']) == '08') echo ' selected="selected"';?>>August</option>
                  <option value="09" <? if (strtolower($_POST['date11_month']) == '09') echo ' selected="selected"';?>>September</option>
                  <option value="10" <? if (strtolower($_POST['date11_month']) == '10') echo ' selected="selected"';?>>October</option>
                  <option value="11" <? if (strtolower($_POST['date11_month']) == '11') echo ' selected="selected"';?>>November</option>
                  <option value="12" <? if (strtolower($_POST['date11_month']) == '12') echo ' selected="selected"';?>>December</option>
            </select>
              <br>
              Month          <br></td>
            <td><select name="date11_date">
                  <option value="0" <? if (strtolower($_POST['date11_date']) == '0') echo ' selected="selected"';?>></option>
                  <option value="01" <? if (strtolower($_POST['date11_date']) == '01') echo ' selected="selected"';?>>01</option>
                  <option value="02" <? if (strtolower($_POST['date11_date']) == '02') echo ' selected="selected"';?>>02</option>
                  <option value="03" <? if (strtolower($_POST['date11_date']) == '03') echo ' selected="selected"';?>>03</option>
                  <option value="04" <? if (strtolower($_POST['date11_date']) == '04') echo ' selected="selected"';?>>04</option>
                  <option value="05" <? if (strtolower($_POST['date11_date']) == '05') echo ' selected="selected"';?>>05</option>
                  <option value="06" <? if (strtolower($_POST['date11_date']) == '06') echo ' selected="selected"';?>>06</option>
                  <option value="07" <? if (strtolower($_POST['date11_date']) == '07') echo ' selected="selected"';?>>07</option>
                  <option value="08" <? if (strtolower($_POST['date11_date']) == '08') echo ' selected="selected"';?>>08</option>
                  <option value="09" <? if (strtolower($_POST['date11_date']) == '09') echo ' selected="selected"';?>>09</option>
                  <option value="10" <? if (strtolower($_POST['date11_date']) == '10') echo ' selected="selected"';?>>10</option>
                  <option value="11" <? if (strtolower($_POST['date11_date']) == '11') echo ' selected="selected"';?>>11</option>
                  <option value="12" <? if (strtolower($_POST['date11_date']) == '12') echo ' selected="selected"';?>>12</option>
                  <option value="13" <? if (strtolower($_POST['date11_date']) == '13') echo ' selected="selected"';?>>13</option>
                  <option value="14" <? if (strtolower($_POST['date11_date']) == '14') echo ' selected="selected"';?>>14</option>
                  <option value="15" <? if (strtolower($_POST['date11_date']) == '15') echo ' selected="selected"';?>>15</option>
                  <option value="16" <? if (strtolower($_POST['date11_date']) == '16') echo ' selected="selected"';?>>16</option>
                  <option value="17" <? if (strtolower($_POST['date11_date']) == '17') echo ' selected="selected"';?>>17</option>
                  <option value="18" <? if (strtolower($_POST['date11_date']) == '18') echo ' selected="selected"';?>>18</option>
                  <option value="19" <? if (strtolower($_POST['date11_date']) == '19') echo ' selected="selected"';?>>19</option>
                  <option value="20" <? if (strtolower($_POST['date11_date']) == '20') echo ' selected="selected"';?>>20</option>
                  <option value="21" <? if (strtolower($_POST['date11_date']) == '21') echo ' selected="selected"';?>>21</option>
                  <option value="22" <? if (strtolower($_POST['date11_date']) == '22') echo ' selected="selected"';?>>22</option>
                  <option value="23" <? if (strtolower($_POST['date11_date']) == '23') echo ' selected="selected"';?>>23</option>
                  <option value="24" <? if (strtolower($_POST['date11_date']) == '24') echo ' selected="selected"';?>>24</option>
                  <option value="25" <? if (strtolower($_POST['date11_date']) == '25') echo ' selected="selected"';?>>25</option>
                  <option value="26" <? if (strtolower($_POST['date11_date']) == '26') echo ' selected="selected"';?>>26</option>
                  <option value="27" <? if (strtolower($_POST['date11_date']) == '27') echo ' selected="selected"';?>>27</option>
                  <option value="28" <? if (strtolower($_POST['date11_date']) == '28') echo ' selected="selected"';?>>28</option>
                  <option value="29" <? if (strtolower($_POST['date11_date']) == '29') echo ' selected="selected"';?>>29</option>
                  <option value="30" <? if (strtolower($_POST['date11_date']) == '30') echo ' selected="selected"';?>>30</option>
                  <option value="31" <? if (strtolower($_POST['date11_date']) == '31') echo ' selected="selected"';?>>31</option>
            </select>
              <br>
              Day</td>
            <td><input name="date11_year" value="<? if (isset($_POST[date11_year])){ print $_POST[date11_year]; } ?>" size="5" type="text">
              <br>
              Year</td>
            <td valign="top"><a href="#" onClick="cal11.showCalendar('calForm'); return false;" title="cal11.showCalendar('calForm'); return false;" name="calForm" id="calForm"><img src="images/b_calendar.png" width="16" height="16" border="0"></a></td>
          </tr>
        </table></td>
      </tr>
      <tr>
        <td>&nbsp;</td>
      </tr>
      <tr>
        <td><div align="center">
        <? print $HTTP_GET_VARS[pid]; ?>
            <input type="hidden" value="<? if (isset($HTTP_GET_VARS[pid])){ print $HTTP_GET_VARS[pid]; } else { print $_POST[pid]; }?>" name="pid">
            <input type="hidden" name="action" value="submitted">
            <input type="submit" name="Submit" value="Select and Continue">
        </div></td>
      </tr>
    </table>
    <div align="center"></div>
            </form>
    Step 2(still needs some work on the error reporting):

    PHP Code:
    <? include('step2check.php'); ?>
    <form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
            <table width="750" border="0" align="center" cellpadding="2" cellspacing="0">
              <tr>
                <td class="fieldName">User Name: </td>
                <td colspan="3"><input name="usrname" id="usrname" type="text" size="20" maxlength="12" <? if (isset($_POST[usrname])){?> value= <? print "$_POST[usrname]";}?>>
                  <span class="asterik">*</span><br>
                    <? if ($u_e == 1){ print $uname_error; }  ?></td>
                <td>&nbsp;</td>
              </tr>
              <tr>
                <td class="fieldName">Email Address:</td>
                <td><input name="email" type="text" id="email" size="20" <? if (isset($_POST[email])){?> value= <? print "$_POST[email]";}?>>
                  <span class="asterik">*</span><br>
                <? if ($e_e == 1){ print $email_addy_error; }?><br>
                <? if ($e == 1) {print $email_match_error; } ?>    
                    </td>
                <td colspan="2" class="fieldName" >Password</td>
                <td><input name="pswd" type="password" id="pswd" size="20">
                  <span class="asterik">*</span><br>
                <? if ($pw == 1) {print $pass_match_error; } ?>    
                </td>
                </tr>
              <tr>
                <td class="fieldName">Verify Email Address: </td>
                <td><input name="vemail" type="text" id="vemail" size="20" <? if (isset($_POST[vemail])){?> value= <? print "$_POST[vemail]";}?>>
                  <span class="asterik">*</span></td>
                <td colspan="2" class="fieldName">Verify Password:</td>
                <td><input name="vpassword" type="password" id="vpassword" size="20">
                  <span class="asterik">*</span></td>
                </tr>
              <tr>
                <td colspan="5"><div align="left">Billing Information </div></td>
                </tr>
              <tr>
                <td class="fieldName">First Name:</td>
                <td><input name="fname" type="text" id="fname" size="20" <? if (isset($_POST[fname])){?> value= <? print "$_POST[fname]";}?>>
                  <span class="asterik">*</span><br>
                <? if ($n == 1) {print $name_error; } ?>    
                </td>
                <td colspan="2" class="fieldName">Last Name:</td>
                <td><input name="lname" type="text" id="lname" size="20" <? if (isset($_POST[lname])){?> value= <? print "$_POST[lname]";}?>>
                  <span class="asterik">*</span></td>
              </tr>
              <tr>
                <td class="fieldName">Billing Address 1:</td>
                <td colspan="4">
                        <input name="billing_address_1" type="text" id="billing_address_1" size="65" <? if (isset($_POST[billing_address_1])){?> value= <? print "$_POST[billing_address_1]";}?>>
                        <span class="asterik">*</span><br>
                <? if ($ba1 == 1) {print $baddy1_error; } ?>    

    </td>
                </tr>
              <tr>
                <td class="fieldName">Billing Address 2:</td>
                <td colspan="4"><input name="billing_address_2" type="text" id="billing_address_2" size="65" <? if (isset($_POST[billing_address_2])){?> value= <? print "$_POST[billing_address_2]";}?>></td>
                </tr>
              <tr>
                <td class="fieldName">City:</td>
                <td><input name="city" type="text" id="city" size="20" <? if (isset($_POST[city])){?> value= <? print "$_POST[city]";}?>>
                  <span class="asterik">*</span><br>
                <? if ($c == 1) {print $city_error; } ?>    

    </td>
                <td class="fieldName">State:
                  <input name="state" type="text" id="state" size="2" maxlength="2" <? if (isset($_POST[state])){?> value= <? print "$_POST[state]";}?>>
                  <span class="asterik">*</span><br>
                            <? if ($se == 1) {print $state_error; } ?>    

                </td>
                <td class="fieldName">Zip:</td>
                <td><input name="zip" type="text" id="zip" size="5" maxlength="5" <? if (isset($_POST[zip])){?> value= <? print "$_POST[zip]";}?>>
                  <span class="asterik">*</span><br>
                <? if ($z == 1) {print $zip_error; } ?>    
                </td>
              </tr>
              <tr>
                <td class="fieldName">Phone:</td>
                <td><input name="phone" type="text" id="phone" size="20" <? if (isset($_POST[phone])){?> value= <? print "$_POST[phone]";}?>>
                  <span class="asterik">*</span><br>
                                <? if ($p == 1) {print $phone_error; } ?>    

    </td>
                <td colspan="2">&nbsp;</td>
                <td>&nbsp;</td>
              </tr>
              <tr>
                <td class="fieldName">Fax:</td>
                <td><input name="fax" type="text" id="fax" size="20" <? if (isset($_POST[fax])){?> value= <? print "$_POST[fax]";}?>></td>
                <td colspan="2">&nbsp;</td>
                <td>&nbsp;</td>
              </tr>
              <tr>
                <td>&nbsp;</td>
                <td colspan="3">&nbsp;</td>
                <td>&nbsp;</td>
              </tr>
              <tr>
                <td colspan="5"></td>
                </tr>
              <tr>
                <td>&nbsp;</td>
                <td colspan="3"><div align="center">
                <input type="hidden" name="action" value="submitted">
                  <input type="submit" name="Submit" value="Submit">
                </div></td>
                <td></td>
              </tr>
              <tr>
                <td colspan="5"></td>
                </tr>
            </table>
            </form>

    If ya'll can help me figure out how to get from step 1 to 2 i think i can get the rest. Thanks again!

  3. #3
    Join Date
    Mar 2004
    Location
    USA
    Posts
    4,342
    instead of posting the past steps, store them in sessions..

    peace,
    Testing 1.. Testing 1..2.. Testing 1..2..3...

  4. #4
    Join Date
    Mar 2004
    Location
    NOLA
    Posts
    41

    Implementing Sessions

    I am implementing sessions to handle the data between steps. Thanks

  5. #5
    Join Date
    Oct 2004
    Location
    Shimonoseki
    Posts
    2,101
    some different approach:
    PHP Code:
    <?php
    $month_posted 
    strtolower($_POST['date11_month']);
    $months = array("","Jan","Feb","Mar","Apr","May","Jun","Jul","Aug","Sep","Oct","Nov","Dec");
    echo 
    "<select name='date11_month'>\n";
    for(
    $xx 1$xx <=12$xx++) {
        if(
    $xx == $month_posted) { $selected "selected='selected'"; } else { $selected "";  }
        echo 
    "<option value='".substr("0".$xx,-2)."' $selected>".$months[$xx]."</option>\n";
    }
    echo 
    "</select>";  
    ?>
    You can apply this to the days as well, would be alot faster
    would be faster..

    Edit:
    On a side note, do not directly output (print, echo) any incoming data ($_POST, $_GET, $_REQUEST).. Always filter your form data in server side.
    Last edited by BurakUeda; 11-06-2005 at 04:06 AM.
    Closed for winter...

  6. #6
    Join Date
    Mar 2004
    Location
    NOLA
    Posts
    41
    On a side note, do not directly output (print, echo) any incoming data ($_POST, $_GET, $_REQUEST).. Always filter your form data in server side.
    Are you talking about filtering the data by including a fie that sets the incoming data to $variables? Not sure what you mean by filtering. I wrote some code that checks for valid data in each field.

    -Sessions-

    I have looked around a few forums and have found mixed reviews on the proper/best/correct/secure way to handle sessions in multiple page forms.

    Should I place the $_POST variables into a session array? Here is one way I have seen this done:

    PHP Code:
    <?php
    session_start
    ();

    $allowed_vars = array(
    'fname',
    'lname',
    'email',             //I would be placing many more here probably 20-30 variables.
    );

    foreach (
    $allowed_vars as $key) {
    if (isset(
    $_POST[$key])) {
    $_SESSION[$key] = $_POST[$key];
    }
    }
    ?>
    I also need to write the incoming session data to a database. I would like to store the data from step 2 if someone stops continuing through to checkout.

    After step 2 is subimtted and checked for errors is it safe to write an insert query using the data contained in the session variables?

    or

    Should I write to a txt file, then store in db later?

    This is an example of how I've been writing insert query's:

    PHP Code:

    $query 
    "INSERT INTO users(fname,lname,email)";
    $query.= "VALUES ('$fname','$lname','$email')";
    print 
    $ai;
    $result mysql_query($query); 
    Is it ok to do this?:

    PHP Code:
    $fname $_SESSION[fname];
    $lname $_SESSION[lname];
    $email $_SESSION[email];


    $query "INSERT INTO users(fname,lname,email)";
    $query.= "VALUES ('$fname','$lname','$email')";
    print 
    $ai;
    $result mysql_query($query); 

  7. #7
    You need to wary of SQL injection attacks when submitting unknown user data to a database. I believe that is what BurakUeda is referring to. Make sure you "sanitize" all incoming data.

    Read up more here: http://www.unixwiz.net/techtips/sql-injection.html

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •