TwoTalesDev/4WDCSA.co.za
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2544676685540072905c3e1ae3759e5addee6b87
4WDCSA.co.za/submit_order.php
twotalesanimation 3247d15ce7 Task 9: Add CSRF tokens to form templates and backend processors 
Updated forms with hidden CSRF token fields:
- comment_box.php - Comment form
- course_details.php - Course booking form
- campsites.php - Campsite addition modal form
- bar_tabs.php - Bar tab creation modal form
- membership_application.php - Membership application form

Updated backend processors with CSRF validation:
- create_bar_tab.php - Bar tab AJAX processor
- add_campsite.php - Campsite form processor
- submit_order.php - Order submission processor

All forms now require validated CSRF tokens before processing, preventing cross-site request forgery attacks.
2025-12-03 11:47:26 +02:00

45 lines
1.9 KiB
PHP
Raw Blame History

<?php
session_start();
require_once("connection.php");
require_once("functions.php");
// CSRF Token Validation
if (!isset($_POST['csrf_token']) || !validateCSRFToken($_POST['csrf_token'])) {
http_response_code(403);
echo json_encode(['status' => 'error', 'message' => 'Security token validation failed.']);
exit();
}
if (isset($_POST['tab_id']) && isset($_SESSION['cart'][$_POST['tab_id']])) {
$tab_id = (int) $_POST['tab_id']; // Ensure it's an integer
$drinks = $_SESSION['cart'][$tab_id];
$created_at = date('Y-m-d H:i:s');
$errors = []; // Array to store SQL errors
foreach ($drinks as $drink) {
$drink_id = (int) $drink['item_id']; // Ensure drink ID is an integer
$drink_name = mysqli_real_escape_string($conn, $drink['item_name']);
$drink_price = (float) $drink['item_price']; // Ensure price is a float
$user_id = (float) $drink['user_id']; // Ensure price is a float
// Insert each drink into the bar_transactions table
$sql = "INSERT INTO bar_transactions (user_id, tab_id, item_id, item_name, item_price) VALUES ('$user_id', '$tab_id', '$drink_id', '$drink_name', '$drink_price')";
if (!mysqli_query($conn, $sql)) {
$errors[] = "Error inserting drink ID $drink_id: " . mysqli_error($conn);
}
}
if (empty($errors)) {
// Clear the cart for this tab after successful submission
unset($_SESSION['cart'][$tab_id]);
echo json_encode(['status' => 'success', 'message' => 'Order submitted successfully!']);
} else {
// Log all errors and return failure message
error_log(implode("\n", $errors)); // Log errors to the server
echo json_encode(['status' => 'error', 'message' => 'Some items failed to be added.', 'errors' => $errors]);
}
} else {
echo json_encode(['status' => 'error', 'message' => 'Cart is empty or tab ID is invalid.']);
}
Reference in New Issue View Git Blame Copy Permalink