Forum Moderators: coopster
Currently, I use a 3rd party shopping cart that is disconnected from my website. In other words, when a person clicks on the "Buy Now" button, it leaves my website and goes to the 3rd party shopping cart site to complete the checkout process. I want to log the instances when a user clicks on a "Buy Now" button. How can I do this?
My first inclination would be to use a javascript solution such as:
<a onClick="return linkClicked()" href="http://www.example.com/cart.asp?product=widget"> BUY NOW!</a>
linkClicked would open a file on my server and add an entry. I've found that this won't work since javascript won't let me write to files.
Is there a way to do this in PHP? Is there a way to log the clicked link and then immediatly forward the user to the shopping cart?
[edited by: ergophobe at 11:10 pm (utc) on June 29, 2005]
[edit reason] url exemplified [/edit]
<a href="clickpage.php">Checkout ..</a>
Then on your clickpage.php, something like:
// Do processing
insert into database
write to file .. etc.
then
header('Location: http://www.example.com/cart.asp?product=widget');
There shouldn't be any output at all on the clickpage.
just an idea
-sned
[edited by: jatar_k at 6:34 pm (utc) on June 29, 2005]
[edit reason] changed to example.com [/edit]
<a href="/redirect.php?product=widget">Buy Me!</a>Then in redirect.php
//code to log stuff omited
//if you're security minded, you should check
//vs a list of valid widgets, even though your
//cart shoul dbe taking care of this
if(!is_valid_widget($_GET['widget'])){die('Nice try, haxor')}
//now, redirect
header("Location: http://www.example.com/cart.asp?product={$_GET['widget']}");
If you can't change the links because of your shopping cart software "Modern Browsers" will let you fire off a request to another PHP page in Javascript with the XMLHttpRequest object, so you might want to look into that as well.
[edited by: jatar_k at 6:35 pm (utc) on June 29, 2005]
[edit reason] changed to example.com [/edit]
You mentioned that for security reasons, I should have a list of allowed widgets. If I don't, why is that a security problem?
I have an HTML file (product.html) with the following link:
<a href="/tocart.php?product=y-se47">Buy Me!</a>
tocart.php contains the code that logs the clicked link and then redirects to my shopping cart.
It seems to work fine, except that sometimes I have to click on the above link twice before it executes the php file and does the redirect.
This is the weird thing. When I first click on the link, it seems to do nothing (stays at product.html). But it did something. It executed part of the PHP file. I know this because it wrote to the file where I am logging the link info (test.txt). It just didn't do the redirect. When I click on the link the second time, it adds another entry to the log and does the redirect as it should.
Can anybody explain why this weird behaviour is occuring?
Below is the code for tocart.php
-------------------------------------
$redirectTo = "http://www.examplecart.com/AddToCart.asp?product={$_GET['product']};
$logDate = date("Y-m-d g:i a");
$logURL = $_SERVER['PHP_SELF'];
$logProductID = $_GET['product'];
$logEntry = "\n$logDate \t $logProductID \t $logURL";
$filename = 'test.txt';
if (is_writable($filename)) {
if (!$handle = fopen($filename, 'a')) {
$redirectTo = "http://www.mysite.com/error-cart.html?error=fileopen";
}
if (fwrite($handle, $logEntry) === FALSE) {
$redirectTo = "http://www.mysite.com/error-cart.html?error=writefile";
}
fclose($handle);
} else {
$redirectTo = "http://www.mysite.com/error-cart.html?error=notwriteable";
}
header("Location: $redirectTo");
<?php
$form = "";
foreach($_POST as $key => $val){
$form .= "<input type=\"hidden\" name=\"".$key."\" value=\"".$val."\">";
}
?>
<html>
<head>
<script type="text/javascript">
window.onload = document.forms[0].submit();
</script>
</head>
<body>
<form action="/index2.php" method="post">
<?php print $form;?>
</form>
</body>
</html>
will this automatically redirect?
It's part of the standard security mindset to assume every variable that a user can send to you will be messed with.
In the example above you're using the variable in a header. A malicious user could send a malformed header request that might crash/buffer overflow a browser, or insert a few newlines and redirect people through your server to wherever they want (think URLs in Porn Spam)
(and sorry to the Mods about the non-example.com links, I wasn't thinking yesterday, just copying)
