TwoTalesDev/4WDCSA.co.za
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7e544311e3c53caea3f1ef30ab1040e40a58971b
4WDCSA.co.za/submit_order.php
twotalesanimation 45523720ea Remove: Deprecated MySQLi functions - convert to OOP prepared statements 
- create_bar_tab.php: Replaced mysqli_real_escape_string() and procedural mysqli_query/mysqli_num_rows/mysqli_error with OOP prepared statements
- submit_order.php: Replaced mysqli_real_escape_string() and procedural mysqli_query/mysqli_error with OOP prepared statements
- fetch_drinks.php: Replaced mysqli_real_escape_string() and procedural mysqli_query/mysqli_fetch_assoc with OOP prepared statements
- comment_box.php: Removed mysqli_real_escape_string(), added CSRF token validation for comment submission

All files now use consistent OOP MySQLi approach with proper parameter binding. Fixes PHP 8.1+ compatibility and improves security against multi-byte character injection.
2025-12-03 19:52:54 +02:00

47 lines
2.0 KiB
PHP
Raw Blame History

<?php
session_start();
require_once("connection.php");
require_once("functions.php");
// CSRF Token Validation
if (!isset($_POST['csrf_token']) || !validateCSRFToken($_POST['csrf_token'])) {
http_response_code(403);
echo json_encode(['status' => 'error', 'message' => 'Security token validation failed.']);
exit();
}
if (isset($_POST['tab_id']) && isset($_SESSION['cart'][$_POST['tab_id']])) {
$tab_id = (int) $_POST['tab_id']; // Ensure it's an integer
$drinks = $_SESSION['cart'][$tab_id];
$created_at = date('Y-m-d H:i:s');
$errors = []; // Array to store SQL errors
foreach ($drinks as $drink) {
$drink_id = (int) $drink['item_id']; // Ensure drink ID is an integer
$drink_name = $drink['item_name']; // No escaping needed with prepared statements
$drink_price = (float) $drink['item_price']; // Ensure price is a float
$user_id = (int) $drink['user_id']; // Convert to integer
// Insert each drink into the bar_transactions table using prepared statement
$stmt = $conn->prepare("INSERT INTO bar_transactions (user_id, tab_id, item_id, item_name, item_price) VALUES (?, ?, ?, ?, ?)");
$stmt->bind_param("iiisi", $user_id, $tab_id, $drink_id, $drink_name, $drink_price);
if (!$stmt->execute()) {
$errors[] = "Error inserting drink ID $drink_id: " . $conn->error;
}
}
if (empty($errors)) {
// Clear the cart for this tab after successful submission
unset($_SESSION['cart'][$tab_id]);
echo json_encode(['status' => 'success', 'message' => 'Order submitted successfully!']);
} else {
// Log all errors and return failure message
error_log(implode("\n", $errors)); // Log errors to the server
echo json_encode(['status' => 'error', 'message' => 'Some items failed to be added.', 'errors' => $errors]);
}
} else {
echo json_encode(['status' => 'error', 'message' => 'Cart is empty or tab ID is invalid.']);
}
Reference in New Issue View Git Blame Copy Permalink