// Check if requested quantity exceeds available stock if ($num > $product['stock_quantity']) die(json_encode([ 'error' => 'Insufficient stock', 'available' => $product['stock_quantity'] ]));
// Generate token in main page $_SESSION['csrf_token'] = bin2hex(random_bytes(32)); // In add_to_cart.php if (!hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'] ?? '')) die(json_encode(['error' => 'CSRF validation failed'])); addcartphp num high quality
For certain goods (fabric, weight-based products), num can be a float. Extend validation: // Check if requested quantity exceeds available stock
apcu_store($key, $requests + 1, 60); Session-based carts are fine for guests, but logged-in users expect cart persistence across devices. Let's upgrade. Table Schema CREATE TABLE cart_items ( id INT AUTO_INCREMENT PRIMARY KEY, user_id INT NOT NULL, product_id INT NOT NULL, quantity INT NOT NULL CHECK (quantity > 0), added_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP, UNIQUE KEY (user_id, product_id) ); Add to Cart (Database Version) // After login check if ($num > 0 && $num <= $product['stock_quantity']) $stmt = $pdo->prepare(" INSERT INTO cart_items (user_id, product_id, quantity) VALUES (?, ?, ?) ON DUPLICATE KEY UPDATE quantity = quantity + ? "); $stmt->execute([$_SESSION['user_id'], $product_id, $num, $num]); // Validate final quantity does not exceed stock $check = $pdo->prepare(" SELECT ci.quantity, p.stock_quantity FROM cart_items ci JOIN products p ON ci.product_id = p.id WHERE ci.user_id = ? AND ci.product_id = ? "); $check->execute([$_SESSION['user_id'], $product_id]); $row = $check->fetch(); if ($row['quantity'] > $row['stock_quantity']) // Rollback $pdo->prepare("UPDATE cart_items SET quantity = ? WHERE user_id = ? AND product_id = ?") ->execute([$row['stock_quantity'], $_SESSION['user_id'], $product_id]); die(json_encode(['error' => 'Adjusted to max stock'])); Let's upgrade
if ($num < 1) http_response_code(400); die(json_encode(['error' => 'Quantity must be at least 1']));
// Retrieve and validate the numeric quantity 'num' $num = filter_input(INPUT_POST, 'num', FILTER_VALIDATE_INT); $product_id = filter_input(INPUT_POST, 'product_id', FILTER_VALIDATE_INT);