Jump to content

Archived

This topic is now archived and is closed to further replies.

tellar

add to cart after payment

Recommended Posts

I have the following problem:

 

Once a customer has paid, it is possible for them to log in from a different browser window and add more products to the shopping cart.

 

The customer can then go back to the confirm page and the whole order is sent, including the products which are not paid for.

 

How can I stop this?

Share this post


Link to post
Share on other sites

My first thought was to mention the 'cartID' session variable that prevents this type of thing from happening. But first I needed to see it in action, so I set up a test case where it would trigger. To my surprise, the 'cartID' checks are not working on my osCommerce installation.

 

After researching this, the issue appears to be with the PHP session serialization. In checkout_shipping.php, when $cartID and $cart->cartID are set to the same string, $cartID is serialized as a reference to $cart->cartID -- even though it's not actually a reference. Then, when the session data is restored for the next page request, $cartID is restored as a reference to $cart->cartID. If the cart is updated from another browser window, $cartID instantly reflects this change and the cartID comparison will always be successful.

 

The serialized session data is stored in the MySQL database and can be easily viewed. To interpret it, see this link. By putting code at the end of the page, I was able to verify that the two variables were not references. But they were stored as references in the session table.

 

This problem may be related to this PHP bug. I tried to make a simple test case, but could not. If anyone has more information on this, I'd like to know.

 

Here are the steps to recreate in Firefox and IE8:

 

  1. Log in to osCommerce as a customer, then log out. This will clear existing session variables.
  2. Log in to osCommerce again.
  3. Add items to the cart.
  4. Proceed to checkout and continue until you reach the "checkout_confirmation.php" page.
  5. Open a new tab in your browser.
  6. In the new tab, open osCommerce. You will already be logged in.
  7. Go to the shopping cart and modify or delete an item. Make sure the cart is not empty.
  8. Switch back to the first tab, the one where you're at the "checkout_confirmation.php" page.
  9. Refresh the page. Respond "yes" if your browser asks to re-send previously submitted information.
  10. If you are redirected to the "checkout_shipping.php" page, then all is well. If the "checkout_confirmation.php" page refreshes with the updated cart, then the code has failed.

 

I'm running osCommerce 2.2RC2a with PHP 5.2.6. I'm using osCommerce's "mysql" session store.


Check out Chad's News.

Share this post


Link to post
Share on other sites

More info on this. Here's a var_dump of $cart. It shows the '&' in front of the 'cartID' type, which indicates that the value is referenced by multiple variables.

 

object(shoppingCart)#1 (7) {
 ["contents"]=>
 array(2) {
   [29]=>
   array(1) {
     ["qty"]=>
     int(1)
   }
   [40]=>
   array(1) {
     ["qty"]=>
     int(1)
   }
 }
 ["total"]=>
 float(11)
 ["weight"]=>
 float(0.59)
 ["cartID"]=>
 &string(3) "123"
 ["content_type"]=>
 string(8) "physical"
}


Check out Chad's News.

Share this post


Link to post
Share on other sites

I have the following problem:

 

Once a customer has paid, it is possible for them to log in from a different browser window and add more products to the shopping cart.

 

The customer can then go back to the confirm page and the whole order is sent, including the products which are not paid for.

 

How can I stop this?

After researching this, I believe you can fix it by swapping the order of two lines in checkout_shipping.php. Change the following:

 

 if (!tep_session_is_registered('cartID')) tep_session_register('cartID');
 $cartID = $cart->cartID;

To be this instead:

 

 $cartID = $cart->cartID;
 if (!tep_session_is_registered('cartID')) tep_session_register('cartID');

I haven't tested this thoroughly, so use it at your own risk.


Check out Chad's News.

Share this post


Link to post
Share on other sites

×