How to select posted variables which are higher than 0

Dear Experts,
I use PHP. On my order page,
I let my customer select which product they are willing to order,
I have like 10 products on a single page, they select the product and the number for that product and make the order.
Some of them select 5-4 products some of them selects all products
On the action page I have 20 variables posted to my page like below. ( the id of the products and the numbers )
 Everyone of them is integer (number). I select the price from the database with the product id posted to my page for every single item.

However if I know which variable is higher than 0 I would select only those I needed.

$first = 0
$second = 2
$third = 8
$forth = 7
$fifth = 3
$sixth = 0
$seventh = 0

I want to select only variables which is higher than 0 and use them.  
if only I knew which posted variables are bigger than 0 in the first place, I can only call those variables.
İf I write an if statment you can imagine how many if statement I need to write. There must be a better way.
How can I do that? Otherwise I use them like this

if ($first > 0) {
select the price from the database with the related id then
$firstprdocutprice = $first * $firstprice }
if ($second > 0) {
select the price from the database with the related id then
$secondprdocutprice = $second * $secondprice }

what do you suggest I should do?
thank you
LVL 1
BRMarketingAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave BaldwinFixer of ProblemsCommented:
What you have posted is a perfectly adequate method.  Even if you put it in a loop, you probably need to identify the separate products, quantities, and prices.  Sometimes things like this just require a lot of typing.
Chris StanyonWebDevCommented:
If you use a DB Query to display the products in the first place, why not just select the price at that point and include it in a hidden field along with the product Id and qty. Then when you pass the POST variables to your PHP page, you will already have the price and won't need to re-visit the Db for each product.

You can name your form vairables using the array syntax:

<input type="hidden" name = "price" name="product[$id][price]" value="$price" />
<input type="text" name="product[$id][qty]" />

And then in PHP:

foreach ($_POST['product'] as $id => $details):
    echo "ID: " . $id;
    echo "Price: " . $details['price'];
    echo "Qty: " . $details['qty'];
    echo "Total: " . $details['qty'] * $details['price']; 
endforeach;

Open in new window

Olaf DoschkeSoftware DeveloperCommented:
Chris, just because a price is hidden from the user interface doesn't mean it's not available in the browser HTML. A website allowing me to specify prices? Nice! Make a suggestion to amazon, would be nice. You would alwas check user input in regard of correctness, putting something into form elements to get it passed on to the form action is a bad idea. All you would pass on are product ids to requery them and then present the result to the user for confirmation.

You can simplify the naming of variables a lot, if you simply give all quantity inputs an array name using square brackets:
<form action="#" method="POST" name="quantities" >
    <label>Apples</label>:<input type=hidden name="products[1][name]" value="Apple"><input type="text" name="products[1][qty]" value=0>
    <br><label>Pears</label>:<input type=hidden name="products[2][name]" value="Pear"><input type="text" name="products[2][qty]" value=0>
    <br><label>Oranges</label>:<input type=hidden name="products[3][name]" value="Orange"><input type="text" name="products[3][qty]" value=0>
    <br><input type=submit>
</form>
<?php

  if (isset($_POST['products']))
  {
      echo 'Your order:';
      foreach ($_POST['products'] as $product ) 
        { 
           if ($product['qty']>0)
               echo '<br>'.$product['qty'].' '.$product['name'].'s';
        }
  }
?>

Open in new window


The html formelements with names given in array form arrive in PHP as an array within the single $_POST element $_POST['products'] and each row can be extracted with foreach as you can see it's now simple to only list products with quantity>0.

Bye, Olaf.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

BRMarketingAuthor Commented:
Dear Olaf,
You are right. Thank you for your wonderful comment.
Olaf DoschkeSoftware DeveloperCommented:
Just a few more notes on this code:

Hidden name elements are optional; you may rather use these elements to store the database id of products, then in the processing PHP part look up product name and price by id. If users fiddle with these HTML form names or ids they'd just order other products for which they don't know names or ids and prices, but that's not a security concern, your order summary would show them the submitted list of products, quantities, and prices.
BRMarketingAuthor Commented:
Dear Olaf Doschke,
You are so right. Your comment is wonderful. I always ask this question to myself.
I think the same way you do.
I'm glad that you share it. ( I used to have concerns about it, after I heard from you, now I'm am content. )

Thank you so much.
Chris StanyonWebDevCommented:
My point wasn't about security, just practicality. You could always encrypt the content so it can't be fiddled with (see what PayPal do)

I've already covered the part about naming the form fields as variables, and even if you don't pass price, this would still be an easier way to process your data. Just loop through the array and query the Db - make sure you use a prepared query if you're going to do this as it will be much more efficient.
BRMarketingAuthor Commented:
Thank you Olaf Doschke,
Although part of Chris comment was helpful, I select your comment as the Best Answer.
Olaf DoschkeSoftware DeveloperCommented:
Thanks, but indeed it's worth to give Chris the solution, as he posted about naming inputs first.

But Chris, "see what PayPal do"? Are you talking about https? That alone just is ensuring transfer encryption. You can fiddle with an HTML form coming from https URL in exactly the same manner.

And if you don't mean that: Setting an encrypted price value in the inputs, I don't see that on PayPal, what are you talking about?
Chris StanyonWebDevCommented:
Hey Olaf,

When you create a button in PayPal, all the product details, including price are sent as an encrypted string in the <form> to prevent tampering with. PayPal then decrypt it at ther end so they know it's genuine.
Olaf DoschkeSoftware DeveloperCommented:
OK, I see what you mean. This happens out of the necessity because PayPal can't look up the prices in the product database of a shop. It asks for a final price of a whole shopping cart typically, if you make PayPal a payment option.

But if you're in control about your data, why would you take the extra cpu resource to encrypt and later decrypt prices?

I'd bundle the ids coming back into a comma separated list and do one query for all prices, for example, and all other extra info I use for creating the order confirmation list. If a "hacker" then fiddles with the ids, so he may, he'll simply get names and prices of other products he doesn't want. I'm reliably under control about what price belongs to what product.

To accept the confirmation of what I display for verification to the customer, I'd use CSRF prevention. That involves quite a bit more and can check quite a bit more, see https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet

PayPal on the other side has to accept one request without previous history of building up the shopping cart, etc. as coming from the shop or customer and meant the way it's sent in. The user also sees what he's bound to pay and confirms that again, and at that stage, you also don't just have the encrypted payment amount sent to PayPal, but PayPal uses the same CSRF prevention to check whether the PayPal account owner confirms what was initially sent to PayPal.

So in both cases the concept is to reflect back what you received and ask for confirmation. Otherwise you could also quite easily let customers make payments they didn't actively click on.

The main thing that happens is the feedback confirmation cycle. You just ask the one final confirmation for what you know you have received beforehand and you make double sure that final yes comes from the customer.
Chris StanyonWebDevCommented:
Yeah - all good points Olaf.

But if you're in control about your data, why would you take the extra cpu resource to encrypt and later decrypt prices?

as oppose to using extra CPU resources to hit the database over and over again ;)

Probably makes more sense to add the product id and qty into an OrderDetails, and then just JOIN to the product table when you need the info i.e Order Confirmation ... but we're into the realms of different scenarios here and way beyond the scope of this discussion
Olaf DoschkeSoftware DeveloperCommented:
>as oppose to using extra CPU resources to hit the database over and over again ;)
Well, ever heard of caching? Databases are really good in returning data often hit...
But you don't have to extend the cache up to the client :))

Besides, yes, you'd rather store order details and update them with product prices times qty ordered for the order summary and confirmation.

Bye, Olaf.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.