Chapter 9: Security and Performance
276
Securing the MOrders Model
Although the MOrders model never touches a database, that doesn ’ t mean you can just ignore it. You
have incoming data (a productid, in most cases) that need to be untainted before you should trust them.In the case of the updateCart() function, simply add a line near the top of the function that runs the
incoming $productid variable through id_clean() :function updateCart($productid,$fullproduct){
//pull in existing cart first!
$cart = $this- > session- > userdata(‘cart’);
$productid = id_clean($productid);
$totalprice = 0;
//function continues...
}Do the same thing with the removeLineItem() function:function removeLineItem($id){
$id = id_clean($id);
$totalprice = 0;
$cart = $this- > session- > userdata(‘cart’);
//function continues...
}The final function, updateCartAjax() , is a bit more complicated, but the principle remains the same.
You ’ re passing a list of IDs to the function, which gets pulled apart by explode() and then looped
through like any array. Eventually, a second layer is pulled open by explode() (this time by splitting on
the colon character). At this point, run id_clean on $fields[0] to clean up the ID and make it safe for
handling.function updateCartAjax($idlist){
$cart = $this- > session- > userdata(‘cart’);
//split idlist on comma first
$records = explode(‘,’,$idlist);
$updated = 0;
$totalprice = $this- > session- > userdata(‘totalprice’);
if (count($records)){
foreach ($records as $record){
if (strlen($record)){
//split each record on colon
$fields = explode(“:”,$record);
$id = id_clean($fields[0]) ;
$ct = $fields[1];
//rest of function...
}