Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

PHP

Posted by Tunde Adegoroye
Tunde Adegoroye
20,597 Points

Preventing url input

So i'm currently developing at project which is a car trading website. I pass the id of the car using the $_GET variable so that the car is added into the basket but i noticed that if you add the id into the URL of the page it will add another item into the back is there anyway of preventing the user from being able to change or enter a value into the URL link in the search bar using PHP or is it one of those things we just have to deal will :(

Here is some of the php code for you to get even more of an idea

// Start session to get the value of item from previous page
session_start();

// Values from the items
$item = $_GET["item"];
$cost = $_GET["cost"];

// If the session isn't set
if (!isset($_SESSION["total_cost"])){

    // Reset the value to 0
    $_SESSION["total_cost"] = 0;
}

// Get the cost and add the cost from the latest item
$_SESSION["total_cost"] = $_SESSION["total_cost"] + $cost;

// Put the total cost into variable
$total_cost = $_SESSION["total_cost"];
Robert Walker
Robert Walker
17,146 Points
Robert Walker
Robert Walker
17,146 Points

Could you give a little more insight into how this process works in relation to the actually website?

How is the user adding these items to the basket, is there a process page between IE do you click add car -> process script -> header relocate to new page etc.

A little knowledge of what you are doing during this process can help.

Just from what I understand you want to be able to make sure users are not passing in invalid or duplicate items / costs?

If so:

I would suggest using a cleaner to start:

function test_input($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  return $data;
}

Once you have this maybe check it against the database to check that the car id is a valid car id and that the price matches that car id price.

I would also check if you are getting back the right types too strings ints etc.

if the car id is valid and the price is the same for that car id then pass it to basket, if not redirect page to X page with the error message oops something went wrong try again or whatever.

1 Answer

Andrew Shook
Andrew Shook
31,709 Points

Tunde, if you only want an item added to the cart when a button/link is clicked then you should be using $_POST and not $_GET. Technically, since you are adding information to the session and not just retrieving information from the server, you should be using $_POST. $_GET should only be used when getting information from the server. Also, you should look into CSRF tokens also. This should help add a layer of security to your cart.