On Sunday 07 April 2002 12:01, Jennifer Downey wrote:
> Hi all,
>
> This code is working greate except for one minor bug.
>
> If I have 2 or 3 items at different prices buy.php is updating the points
> of the user at the last priced item.
>
> In other words if
> item 1 costs 1965
> item 2 costs 564
> item 3 costs 25
>
> and item 1 is clicked it only takes away 25 points instead of 1965.
>
> Any ideas why? and what can I do to fix this. I have read a few tut's on
> sessions now but none tell how I might get a fix for this.

It looks as if you're going about this the completely wrong way.

> This is the shop.php
>
> session_register("price");

You only have ONE storage space for the price of a item, yet you need to 
store more than one price, ie impossible. But it's really not needed. Read on.

Your best (and secure) approach is to minimise the amount of info given by 
the client. AFAICS the only info needed from the client is the item ID (and 
possibly the quantity, but you only seem to allow buying 1 item per click?)


> $query = "SELECT * FROM {$config["prefix"]}_items where id = 1";
> $result = mysql_query($query);
> $row = mysql_fetch_array($result);
> echo ("");
> echo "<A HREF=\"buyitem.php?id=1\" TARGET=\"_self\"><IMG
> SRC=\"images/blueholo.gif\" border=0 ></A><br>";
>
> echo "<b>$row[name]</b><br>";
> echo "Quantity $row[quantity]<br>";
> echo "Cost: $row[price] SC<br>";
>
> $price=$row[price];

Not needed.

>
> $query = "SELECT * FROM {$config["prefix"]}_items where id = 2";
> $result = mysql_query($query);
> $row = mysql_fetch_array($result);
> echo ("");
> echo "<A HREF=\"buyitem.php?id=2\" TARGET=\"_self\"><IMG
> SRC=\"images/redholo.gif\" border=0 ></A><br>";
>
> echo "<b>$row[name]</b><br>";
> echo "Quantity $row[quantity]<br>";
> echo "Cost: $row[price] SC<br>";
>
> $price=$row[price];

Not needed. This is overwriting your previous $price, thus you only get the 
last $price.

>
> This is buyitem.php
>
> session_start();
> $id = $HTTP_GET_VARS["id"];

Here, you should write some code to retrieve the price of the item directly 
from the DB.


> // Updates the quantity
> $query ="UPDATE {$config["prefix"]}_items SET quantity = quantity - 1 where
> id = '$id'";
> $ret=mysql_query($query);
> $check_points = "SELECT points FROM {$config["prefix"]}_users WHERE
> uid={$session["uid"]}";
> $ret=mysql_query($check_points);
>
> while(list($points)=mysql_fetch_row($ret))
> {  $cost=$HTTP_SESSION_VARS['price'];  // Gets the price of the item.
> replace with $_SESSION['price'] if PHP version >= 4.1.0
>             echo $cost;

Use the price as gotten from above.


>   if($points < $cost) {
>     echo "You don't have enough StarrCredits to purchase this item!";
>   }else{
>
>     $query = "UPDATE {$config["prefix"]}_users SET points = points - $cost
> where uid={$session["uid"]}";
>     mysql_query($query);
>   }
> }


-- 
Jason Wong -> Gremlins Associates -> www.gremlins.com.hk
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *


/*
I remember when legal used to mean lawful, now it means some
kind of loophole.
                -- Leo Kessler
*/

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to