Crumbling Cookies, Passed Page Values, and File Handling

chaoticset has asked for the wisdom of the Perl Monks concerning the following question:

Oh, good lord. I have a problem and a half, I think.

I'm building a cart system for a fairly unique situation. The whole list of products has barebones searchability and needs to update constantly - that is, some of them are unique, some we only have five of, etc. - and as a result I came up with what I hoped was a dandy way to handle the carts.

"If one program dealt with all the cart/product stuff, then it would just have to keep updating the return page's stuff."

Ideal behavior for this program is as follows:

Customer comes to the site and locates a card they like. They click "Put In Cart" next to it.

When they click the submit button, the program checks first if they have a cart. If they don't, it generates a random, 8-digit number for a cart name and gives a hidden tag that name so it can be accessed next time.

Once they've got a cart, it "drops" it in, decrementing the stock file by one of those things and incrementing their cart file by one of those things. It only has to append it; it'll get sorted when it's viewed.

Then it closes the cart, closes the stock file, and checks if there was a search term. If there was, it returns the page for that search term.

I believe that this will produce a faster drop-find-drop-find cycle, because you can click on three cards, put a new search term for the other cards you want, and go to the new page while you drop the ones you want in your cart. You don't have to, though. And you can check your cart at any time.

The problem is the generator. I'm having trouble with this, so it's really just a yes-or-no question, because I've been banging my head against it for a few days, trying to get it right.

Is it *possible* to open a filehandle with a variable name for a filename? That is, will open(CART, "$cartname") open the value of $cartname? Or will it try to open a file called '$cartname'?

Should I store the cart name - or even all the data that would go into the cart itself - as a cookie, or as several? I realize that not all browsers support them, unreliable, etc., so I didn't want to try it, but if it's a better idea I'll give it a shot.

Is this way of dealing with it utterly senseless? I realize there may be a security issue with this ("...hey, every time I do that it generates a new file! I wonder how many files I can get it to make on their server...") but I figure that when it's a problem, I'll have figured out how to handle it.

I know, I'm terribly amateurish at this...but that is why I'm seeking wisdom.

Comment on Crumbling Cookies, Passed Page Values, and File Handling

Replies are listed 'Best First'.
Re: Crumbling Cookies, Passed Page Values, and File Handling by Masem (Monsignor) on Oct 28, 2001 at 04:15 UTC
You can use a variable as the second argument to open; the variable will be stringified and treated as a filename. As for what you save in cookies, it's always best to store as little as possible to prevent problems with data loss. Basically, you should create a sessionID that is a hash of several factors (you don't want to use just IP alone, for example), and set that as the only item in the cookie. Use a database for tracking the current order session, and make sure to include code that will invalid that sessionID after a long enough time that a user will no longer be shopping on your site (30 minutes is the lowest you'd want to go with this). ----------------------------------------------------- Dr. Michael K. Neylon - mneylon-pm@masemware.com \|\| "You've left the lens cap of your mind on again, Pinky" - The Brain "I can see my house from here!" It's not what you know, but knowing how to find it if you don't know that's important	[reply]
Re: Re: Crumbling Cookies, Passed Page Values, and File Handling by kwoff (Friar) on Oct 28, 2001 at 04:31 UTC
I ditto Masem's answer (glad I hit Refresh before replying :). I think you really should use a database for this. Whatever you do, don't have the CGI params determine what the filename is... I've been able to use shopping cart scripts to look at arbitrary files on their system including /etc/passwd and the script itself by using a URL like `http://foo.com/cgi-bin/cart.pl?....&FILE=../../../cgi-bin/cart.pl` [download] basically getting arbitrary information from their system. (I let them know through a throw-away hotmail account and surfed the site through safeweb.com -- be careful when telling people you were probing their shopping cart) Like Masem said avoid putting information into a cookie, another reason being so that people can't set their prices arbitrarily. If you're processing orders "in house", then you might be more likely to overlook that somebody gave themself a rebate. Anyway, if you can avoid cookies, you should try to.	[reply] [d/l]
Re: Crumbling Cookies, Passed Page Values, and File Handling by gt8073a (Hermit) on Oct 28, 2001 at 07:25 UTC
i recommend using red hat's interchange instead of rolling your own cart, more so considering I know, I'm terribly amateurish at this if you are still dead set on writing your own, you can down load, and look at, the source here. Will perl for money JJ Knitis (901) 756-7693 gt8073a@industrialmusic.com	[reply]