From d444b1191c22913ff44ae6b05187fc3a24100f58 Mon Sep 17 00:00:00 2001
From: chocbic172 <ethanhoward04@gmail.com>
Date: Fri, 22 Mar 2024 21:28:05 +0000
Subject: [PATCH] Implement checkout and order recording

---
 checklist.md            |  2 +-
 root/cart.php           | 41 +++++++++++++++++++++++++++++++++++++++--
 root/styles/cart.css    |  5 +++++
 root/utils/database.php | 26 ++++++++++++++++++++++++++
 4 files changed, 71 insertions(+), 3 deletions(-)

diff --git a/checklist.md b/checklist.md
index a4ec13d..290e689 100644
--- a/checklist.md
+++ b/checklist.md
@@ -38,5 +38,5 @@
 - [x] Product reviews / scores
 - [x] Verified users can post reviews
 - [x] Advanced search
-- [ ] Checkout mechanism
+- [x] Checkout mechanism
 - [x] Secure password storage / verification
diff --git a/root/cart.php b/root/cart.php
index d2260b1..84e88ac 100644
--- a/root/cart.php
+++ b/root/cart.php
@@ -9,6 +9,30 @@
 
 $totalPrice = 0.0;
 
+$userLoggedIn = isset($_SESSION['user']);
+
+$serverMessages = "";
+
+if ($_SERVER["REQUEST_METHOD"] == "POST") {
+    if (!$userLoggedIn) {
+        $serverMessages .= "<p>Please log in (use the link in the navbar) to checkout your cart.</p>";
+    }
+    
+    if ((!isset($_SESSION['cart'])) || (count($_SESSION['cart']) < 1)) {
+        $serverMessages .= "<p>Please add some orders to the basket to start checking out your product.</p>";
+        $orderSuccess = false;
+    } else {
+        $orderSuccess = $db->saveOrder($_SESSION['cart']);
+    }
+
+    if ($orderSuccess) {
+        $serverMessages .= "<p>Order successfully submitted! Thank you for shopping!</p>";
+        unset($_SESSION['cart']);
+    } else {
+        $serverMessages .= "<p>Order could not be submitted :( Please refresh and try again.</p>";
+    }
+}
+
 ?>
 <!DOCTYPE html>
 <html lang="en">
@@ -29,6 +53,9 @@
 
     <div class="cart-container">
         <h2>Cart</h2>
+        <div class="server-messages">
+            <?php echo $serverMessages ?>
+        </div>
         <hr>
         <ul id="cart-list">
             <?php
@@ -41,7 +68,6 @@
                     <li><div class="cart-item">
                         <p class="cart-item-name"><a href="item.php?id='.$product.'">'.$productInfo['product_title'].'</a></p>
                         <p class="cart-item-price">£'.$productInfo['product_price'].'</p>
-                        <button class="cart-item-remove">Remove</button>
                     </div></li>';
                 }
                 unset($product);
@@ -55,7 +81,18 @@
     </div>
 
     <div class="flex-content-center cart-bottom">
-        <button class="checkout-button">Checkout</button>
+        <?php echo $userLoggedIn ? "" : "<h3>Please <a href='./login.php'>log in</a> to checkout your basket!</h3>" ?>
+
+        <!--
+        We use the `$_SERVER["PHP_SELF"]` superglobal to ensure the form is always submitted to this page.
+        However, to avoid XSS exploits we wrap this in `htmlspecialcars()`, which automatically "escapes"
+        all html characters. See W3 Schools for reference implementation:
+        https://www.w3schools.com/php/php_form_validation.asp
+        -->
+        <form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"])?>" method="post">
+            <?php echo $userLoggedIn ? '<input type="submit" class="checkout-button" value="Checkout">' : "" ?>
+        </form>
+
         <p>
             Forgotten something?
             <a href="./products.php">Press here to continue shopping</a>
diff --git a/root/styles/cart.css b/root/styles/cart.css
index 4aba297..3f5c04f 100644
--- a/root/styles/cart.css
+++ b/root/styles/cart.css
@@ -90,3 +90,8 @@ https://developer.mozilla.org/en-US/docs/Web/CSS/@import */
 .cart-bottom a {
     color: var(--primary-blue);
 }
+
+.server-messages {
+    text-align: center;
+    font-size: 1.25em;
+}
diff --git a/root/utils/database.php b/root/utils/database.php
index daa4ee2..fd0b21c 100644
--- a/root/utils/database.php
+++ b/root/utils/database.php
@@ -304,4 +304,30 @@ public function getRatingForProduct(string $productId) {
 
         return $rating[0];
     }
+
+    /**
+     * Stored an order to the database
+     * 
+     * @param array $basket array of product ids to be ordered
+     * 
+     * @return boolean whether the creation of the order was successful
+     */
+    public function saveOrder(array $basket) {
+        $sql_query = $this->conn->prepare("INSERT INTO ".$this->orders_table.
+        " (`order_id`, `order_date`, `user_id`, `product_ids`)
+        VALUES (NULL, current_timestamp(), ?, ?)");
+
+        $query_success = $sql_query->execute([
+            $_SESSION['user'],
+            json_encode($basket),
+        ]);
+
+        if (!$query_success) {
+            $sql_query->close();
+            return false;
+        }
+
+        $sql_query->close();
+        return true;
+    }
 }