Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

PHP Shopping Cart - When to reduce item quantity in the stock table?

Posted on 2004-10-28
12
Medium Priority
?
1,439 Views
Last Modified: 2013-12-12
Hi,

I have generated an online shopping cart to be used on my website.  The cart content is stored in an Associated Array stored in a PHP session variable.

I have opted to use Worldpay to handle all credit card transactions.

My question is: at what stage of the shopping process should I update the quantity fields in the stock table to reflect the purchase?

Obviously I do not want to do this before payment has been taken for obvious reasons...

Worldpay offer a callback service so that a script on my website can be run after a successful transaction has been processed.  What I plan to do is write the order information to a partially completed table in the database before the credit card transaction takes place.  Then, when Worldpay issue the callback, information will be deleted from the partial orders table, written to a completed orders table and the quantity fields in the stock table updated accordingly.

If the callback fails, I will still have the basket ID of the order, thus emabling me to manually update the stock table with the information held in the partial orders table.

Please can anyone give their thoughts / opinions of this method?  The advice I have received from these pages in the past has been invaluable.

Thanks


 
0
Comment
Question by:rvr_1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
  • 2
  • +1
12 Comments
 
LVL 12

Assisted Solution

by:minichicken
minichicken earned 510 total points
ID: 12434109
Hi rvr_1

I think you are on the right track, as I also recently created a e-commerce site with shooping functionalities. You method is almost the same is the way I did it.

This is how it goes:
1.) I have 3 DB tables just for the purchase process, namely CART (stores items in cart - just a temp storage of the items that will be purchased - if transaction was successful then move all items to PURCHASED else delete them all), ORDER (stores the order details), PURCHASED (stores the items that are purchased - permanently - if transaction was successful).

2.) Both CART and PURCHASED has ORDER_ID as the foreign key in the table. As 1 ORDER can have many CART items and 1 ORDER can have many PURCHASED items.

3.) So when the user is still in his shopping process, all the items will be added or removed from his shopping cart, so there will be items get inserted into CART and deleted from CART.

4.) Just before the user checks out and get redirected to the payment gateway, an ORDER number or ID is generated and passed to the payment gateway in order to get passed back from the CALLback.

5.) So now, getting back to your site with the Callback, If the transaction was successful then insert every item with the ORDER number or ID that was passed back from CART to PURCHASED. Then delete everything in CART where the Order ID = the order number from call back. Of course only successful, then you update your STOCK table.

6.) If the transaction failed, then just delete everything from CART with the appropriate ORDER id, or you can give the user the option to checkout again. You wont need to update your STOCK table if unsuccessful.

Just some of my thoughts.... hope you find it useful...
0
 
LVL 48

Assisted Solution

by:hernst42
hernst42 earned 480 total points
ID: 12434168
I think you should update the stock just before you submit the information to check the creditcard. Else it might be possible that you run out of itmes for another customer which purchase is also currently in progress.
You may also have a table where you have those elements stored that are curently checked. If a user request an element that is out of stock, but some itmes are in the transit que you might send him a note to check again.

If the check of the credit card fails, readd the quantities to the stock and remove the numbers from the trnasit-queue.

It depends on your attitude. Sells some items less, but the customer gets everything he wanted directly or tell him, after he purchased that some items may take a longer time to deliver. I thing the longterm success will be with the 1st attitude.
0
 

Author Comment

by:rvr_1
ID: 12434428
Thanks for your comments - I found them really useful :o)

Just one thought regarding security - what process have you used to stop a hacker bypassing the Payment gateway.

I.E. If a hacker is able to obtain the Order ID that is passed to the payment gateway - what is to stop them just calling the script that handles the callback and passing the Order ID to this script - thus simulating a completed order without payment being taken?

Are PHP Session variables able to hold their value throughout the payment gateway process so that they can be used for verification in the PHP callback script?

Many Thanks!
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 10

Accepted Solution

by:
frugle earned 510 total points
ID: 12439742
First of all, the script that handles the callback should check that the information that is being submitted is actually coming from the payment gateway.

The hacker probably won't know exactly which variables are being passed back to the server - iirc worldpay has an account passphrase that it uses to signal a completed transaction which is customised in your worldpay account. If this is not received you have to assume that the process has been interrupted and flag it for manual inspection.

Regarding sessions, I'm not sure but I think that once you leave your domain your session ends... check http://uk2.php.net/manual/en/ref.session.php to be certain.

Mike
0
 
LVL 12

Expert Comment

by:minichicken
ID: 12442046
Normally, when you submits info to the payment gateway, there should be a checksum that is calculated from your WorldPay Vendor ID with total amount and other variables. This is verified at the payment gateway. Again once the payment process is done, the payment gateway should then generate another checksum from other variables and get sent back to your site with the CallBack. On you site you then should check the checksum values to see if they match up. The reason for the checksum is that if there was an interupt by a hacker, the values of the CallBack will change and therefore will result a different checksum value and hence will not match the initial checksum, which is invalid and you will know that there is an interupt.

Regarding sessions>> the session will expire if not instantly in a few seconds or minutes once you leave your domain.... but I think you can config that on the setup on your web server, but I would recommend to keep session alive once the user has left the domain, due to security reasons.

0
 

Author Comment

by:rvr_1
ID: 12442077
Thanks - invaluable advice as always.

You mentioned in your post about calculating the checksum values on my site.

Could you please give me a little more information about how this is achieved?

Many Thanks!
0
 
LVL 12

Expert Comment

by:minichicken
ID: 12442758
Hi rvr_1

I don't know if WorldPay already supports the checksum security, if they do then you dont have to worry about it and just follow their routine.
You might want to look at the Zend articles on the md5 algorithm for checksum, if WorldPay does not support the checksum routine.
The article has 3 parts, pretty comprehensive, with sample codes and explains why HTTP data transfer is not secure and how to apply the md5 algorithm.

http://www.zend.com/zend/spotlight/securevariablepart1.php
http://www.zend.com/zend/spotlight/securevariablepart2.php
http://www.zend.com/zend/spotlight/securevariablepart3.php

Hope you find it usefule....
0
 
LVL 12

Expert Comment

by:minichicken
ID: 12665798
I recommend {minichicken} as accepted answer and {frugle} as assisting answer.

Thanks :)
0
 
LVL 10

Expert Comment

by:frugle
ID: 12665877
you would!  :-)

I agree.

Mike
0
 
LVL 48

Expert Comment

by:hernst42
ID: 12676947
my recommendation:
    Split: minichicken {http:#12434109} & hernst42 {http:#12434168} & frugle {http:#12439742}
0
 
LVL 12

Expert Comment

by:minichicken
ID: 12679074
oh... sorry hernst42 , I missed your comment in this question.

so my recommendation is -> Split: minichicken {http:#12434109} & hernst42 {http:#12434168} & frugle {http:#12439742}
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Originally, this post was published on Monitis Blog, you can check it here . In business circles, we sometimes hear that today is the “age of the customer.” And so it is. Thanks to the enormous advances over the past few years in consumer techno…
Viewers will get an overview of the benefits and risks of using Bitcoin to accept payments. What Bitcoin is: Legality: Risks: Benefits: Which businesses are best suited?: Other things you should know: How to get started:
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question