Automatically Add Products to the cart via URL?

[sanguisdesign]

It was a joke, I know PHP programming, I think I'll write a new page that receive model # from the remote configurator, than execute a query on products table to find that model# (just in case I can test if there's more than 1 record with it and return a warning message, or launch advanced_search page to list all products found), then extract the right products_id and finally add it to shopping cart.

You may want to start looking at the code mods for the SEO URL's mods, they already have modified the base that you need to modify

[moosesoom]

Here's my first (quite simple) solution.

I hope ZC masters here will contribute to it with comments, corrections and more. If you find something wrong, please tell me.

I created a new page: /includes/templates/template_default/templates/tpl_add_product_by_model_default.php:

PHP Code:

<?php
        $model_from_remote_configurator = $_GET['modelcode'];
        $products_query = "select products_id, products_model from products where products_model = \"$model_from_remote_configurator\"";
        $products = $db->Execute($products_query);
        if ($products->RecordCount() <= 1) {
           $myurl = "/index.php?action=buy_now&products_id=".$products->fields['products_id'];
        } else {
           $myurl = "/index.php?main_page=advanced_search_result&keyword=".$model_from_remote_configurator;
        }
        zen_redirect($myurl);
?>

It has to be called as follows (usually from some remote configurators....like memory, batteries, passing their code for selected item):

http://MY_SHOP_URL/index.php?main_pa...odelcode=MODEL

Where MY_SHOP_URL is your shop's URL and MODEL is an alphanumeric model number (it's compared with products_model field in your ZC database).

If your database contains ONE product with products_model equal to MODEL, it's automatically added to your cart.

If your database contains MORE THAN ONE product with products_model equal to MODEL, you'll be redirected to advanced search page showing all these products.

If your database doesn't contain any products with products_model equal to MODEL, "no product found" is reported.

[MattyMatt]

That would leave you open to a SQL injection/ password enumeration vulnerability as mentioned here

http://www.gulftech.org/?node=resear...00129-09042008

you need a htmlentities($_GET['modelcode'], ENT_QUOTES)

Here's my first (quite simple) solution.

I hope ZC masters here will contribute to it with comments, corrections and more. If you find something wrong, please tell me.

I created a new page: /includes/templates/template_default/templates/tpl_add_product_by_model_default.php:

PHP Code:

<?php
        $model_from_remote_configurator = $_GET['modelcode'];
        $products_query = "select products_id, products_model from products where products_model = \"$model_from_remote_configurator\"";
        $products = $db->Execute($products_query);
        if ($products->RecordCount() <= 1) {
           $myurl = "/index.php?action=buy_now&products_id=".$products->fields['products_id'];
        } else {
           $myurl = "/index.php?main_page=advanced_search_result&keyword=".$model_from_remote_configurator;
        }
        zen_redirect($myurl);
?>

It has to be called as follows (usually from some remote configurators....like memory, batteries, passing their code for selected item):

http://MY_SHOP_URL/index.php?main_pa...odelcode=MODEL

Where MY_SHOP_URL is your shop's URL and MODEL is an alphanumeric model number (it's compared with products_model field in your ZC database).

If your database contains ONE product with products_model equal to MODEL, it's automatically added to your cart.

If your database contains MORE THAN ONE product with products_model equal to MODEL, you'll be redirected to advanced search page showing all these products.

If your database doesn't contain any products with products_model equal to MODEL, "no product found" is reported.

[MattyMatt]

PHP Code:

        $products_query = "select products_id, products_model from products where products_model = \"$model_from_remote_configurator\""; 


should also be

PHP Code:

        $products_query = "select products_id, products_model from ".TABLE_PRODUCTS." where products_model = \"$model_from_remote_configurator\""; 


[moosesoom]

That would leave you open to a SQL injection/ password enumeration vulnerability as mentioned here

http://www.gulftech.org/?node=resear...00129-09042008

This was my main doubt.
Maybe I can sanitize modelcode with something like:

PHP Code:

if( isset($_GET['modelcode']) ) $_GET['modelcode'] = ereg_replace('[^0-9a-zA-Z]', '', $_GET['modelcode']); 


And more, I can cut lenght of read modelcode to the max lenght of products_model field.

What do you think about these solutions?

you need a htmlentities($_GET['modelcode'], ENT_QUOTES)

Don't understand if this a solution for SQL injection problem or just a different advice for the page. Never heard about this function.

[moosesoom]

should also be

PHP Code:

        $products_query = "select products_id, products_model from ".TABLE_PRODUCTS." where products_model = \"$model_from_remote_configurator\""; 


Thanks again

[MattyMatt]

This was my main doubt.
Maybe I can sanitize modelcode with something like:

PHP Code:

if( isset($_GET['modelcode']) ) $_GET['modelcode'] = ereg_replace('[^0-9a-zA-Z]', '', $_GET['modelcode']); 


And more, I can cut lenght of read modelcode to the max lenght of products_model field.

What do you think about these solutions?



Don't understand if this a solution for SQL injection problem or just a different advice for the page. Never heard about this function.

htmtlentities is a built in PHP function that will strip the quotes that would make the UNION fail but turning them into " a better option would probaby be

PHP Code:

preg_replace('/\s*/', '', $_GET['modelcode']) 


which would just kill the white space causing the SQL to fail


or better

PHP Code:

preg_replace('/[^a-z0-9]/i', '', $_GET['modelcode']) 


since ereg and it's associated expressions are deprecated and will issue warnings in PHP 5.3 (sometimes below) and will fail at some point in the future.

[moosesoom]

Well...it works flawlessly...till I change Admin/My Store/Display Cart After Adding Product from true to false.

Setting it to false generates unpredictable (maybe for me only) results:

Two cases:

1) the product is NOT the only one in its category:

- the product category listing is shown
- a green line with a lamp icon says the product is added to cart
- the product is added to the cart (not shown according to previous admin setting).

2) the product is the only one in its category:

- the product info page is shown
- NO green line appears
- the product is added to the cart (not shown according to previous admin setting).


Not really an error but possibly strange to customers.

Setting the admin "Display Cart After Adding Product" to true is not an option for this site.

Tomorrow I'll try to replicate everything on a fresh install (I suspect Ultimate SEO addon too...that's an "old" install)

[DavidIIM]

You could embed a hidden form in your HTML like

Code:

<form id="form_1" action="http://linktostore.com/index.php?main_page=product_info&amp;cPath=22&amp;products_id=44&amp;number_of_uploads=0&amp;action=add_product" method="POST">
<input type="radio" name="id[1]" value="16" id="attrib-1-16" />
</form>

and then make a link

Code:

<a href="javascript: document.getElementById('form_1').submit()">Buy this in blue.</a>

You need to go to your shop page, grab the HTML for the form of the item you are interested in, put in the attributes you want selected by looking for radio or <select . Then make sure the link refers to the correct form, so you are the one naming the form with an id, in this case form_1

Matt

Matt,

Is it possible to set up multiple forms on the same page and submit them all at once using a URL?

In this way I would be able to add multiple products with attributes to the cart at once.
http://www.greatgospelmusic.com/inde...=index&cPath=2