Simple PHP Shopping Cart Tutorial

February 02, 2006 - 00:00

This is a very simple shopping cart that I wrote at university because many of my peers were asking for help with similar problems for assignments. It is incomplete and is not intended for use on a production website!

The shopping cart stores the product ids in an associative array, the keys are the product id and the values are the quantity of that particular product. To store information between pages we can use the \$_SESSION superglobal variable, by using an element of the array like this: \$_SESSION['cart'] - this is where our cart will be stored.

Stored Where?

Because we are going to use a session to store this cart we need to start the session at the very beginning of the page like this:

<?php session_start(); ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "">
<html xmlns="">

Notice how the function is before anything else, this includes whitespace.

Now lets define some operations that our cart will perform. Lets say we want the user to be able to add, remove and empty the cart. The script needs to know what the operation is and also, in the case of adding and removing, the id of the product.

We can tell the script this information as part of the URL for example /cart.php?action=add&id=1234

We need to be careful of SQL Injection attacks - so we must check that the product_id exists in our database, and also be sure that it is an integer, using the productExists function.


$product_id = $_GET['id']; //the product id from the URL
$action = $_GET['action']; //the action from the URL

//if there is an product_id and that product_id doesn't exist display an error message
if($product_id && !productExists($product_id)) {
    die("Error. Product Doesn't Exist");

switch($action) { //decide what to do

    case "add":
        $_SESSION['cart'][$product_id]++; //add one to the quantity of the product with id $product_id

    case "remove":
        $_SESSION['cart'][$product_id]--; //remove one from the quantity of the product with id $product_id
        if($_SESSION['cart'][$product_id] == 0) unset($_SESSION['cart'][$product_id]); //if the quantity is zero, remove it completely (using the 'unset' function) - otherwise is will show zero, then -1, -2 etc when the user keeps removing items.

    case "empty":
        unset($_SESSION['cart']); //unset the whole cart, i.e. empty the cart.




Next we can show the user their shopping cart, by iterating through the cart items, using a foreach loop. But only if there is something in the cart, which is the reason for the 'if' statement:


if($_SESSION['cart']) { //if the cart isn't empty
//show the cart

    echo "<table border=\"1\" padding=\"3\" width=\"40%\">"; //format the cart using a HTML table

    //iterate through the cart, the $product_id is the key and $quantity is the value
    foreach($_SESSION['cart'] as $product_id => $quantity) {

        //get the name, description and price from the database - this will depend on your database implementation.
        //use sprintf to make sure that $product_id is inserted into the query as a number - to prevent SQL injection
        $sql = sprintf("SELECT name, description, price FROM php_shop_products WHERE id = %d;",

        $result = mysql_query($sql);

        //Only display the row if there is a product (though there should always be as we have already checked)
        if(mysql_num_rows($result) > 0) {

            list($name, $description, $price) = mysql_fetch_row($result);

            $line_cost = $price * $quantity; //work out the line cost
            $total = $total + $line_cost; //add to the total cost

            echo "<tr>";
            //show this information in table cells
            echo "<td align=\"center\">$name</td>";
            //along with a 'remove' link next to the quantity - which links to this page, but with an action of remove, and the id of the current product
            echo "<td align=\"center\">$quantity <a href=\"$_SERVER[PHP_SELF]?action=remove&id=$product_id\">X</a></td>";
            echo "<td align=\"center\">$line_cost</td>";

            echo "</tr>";



    //show the total
    echo "<tr>";
    echo "<td colspan=\"2\" align=\"right\">Total</td>";
    echo "<td align=\"right\">$total</td>";
    echo "</tr>";

    //show the empty cart link - which links to this page, but with an action of empty. A simple bit of javascript in the onlick event of the link asks the user for confirmation
    echo "<tr>";
    echo "<td colspan=\"3\" align=\"right\"><a href=\"$_SERVER[PHP_SELF]?action=empty\" onclick=\"return confirm('Are you sure?');\">Empty Cart</a></td>";
    echo "</tr>";
    echo "</table>";

//otherwise tell the user they have no items in their cart
    echo "You have no items in your shopping cart.";


The productExists function takes a product_id as an argument, and returns true if it exists. It uses the sprintf function to insert the $product_id variable into the $sql variable as a number - to prevent SQL Injection.

//function to check if a product exists
function productExists($product_id) {
    //use sprintf to make sure that $product_id is inserted into the query as a number - to prevent SQL injection
    $sql = sprintf("SELECT * FROM php_shop_products WHERE id = %d;", $product_id);
    return mysql_num_rows(mysql_query($sql)) > 0;

Note This tutorial has been updated to prevent the SQL Injection security flaw describe here.

Plain text icon cart.txt4.3 KB
Plain text icon products.txt1.04 KB