HiveBrain v1.2.0
Get Started
← Back to all entries
patternjavascriptMinor

Restaurant system with JavaScript connecting to PHP

Submitted by: @import:stackexchange-codereview··
0
Viewed 0 times
restaurantwithconnectingsystemjavascriptphp

Problem

I'm making a web application for a restaurant kind of type. The idea is to administrate the orders and customers with the functions such as:

  • Make a new order



  • Delete a order



  • View all the orders



  • Make a new customer



  • Delete a customer



  • View all the customers



  • Finance overview



I'm doing this by separate PHP files. Here's the example for inserting a new order:

insert_order($customer_id, $order_info, $location);
    exit;
} else {
    die();
}


This goes together with the Database class:

```
databaseHost, $this->databaseUser, $this->databasePassword, $this->databaseName);
if (mysqli_connect_error()) {
exit('Connect Error (' . mysqli_connect_errno() . ') ' . mysqli_connect_error());
}
parent::set_charset('utf-8');
}

function get_simple_data() {

$query = "SELECT customers.first_name,
customers.last_name,
orders.location,
orders.id,
orders.total_price,
customers.email_adress

FROM customers

INNER JOIN orders ON customers.id = orders.customer_id
ORDER BY orders.id DESC";

return $this->query($query);
}

function get_all_data_by_order_id($order_id) {
$query = "SELECT customers.first_name,
customers.last_name,
customers.email_adress,
customers.customer_info,

orders.order_info,
orders.total_price,
orders.location,
orders.created

FROM customers
INNER JOIN orders ON customers.id = orders.customer_id

WHERE orders.id = {$order_id}";

return $this->query($query);
}

function get_orders_by_customer_id($customer_id) {
$query = "SELECT id, order

Solution

It seems like you have your work cut out..

It seems that get_orders_by_customer_id get_order_items_by_order_id delete_order and delete_all_order_items are vulnerable to SQL Injection.

Furthermore, if orders.id is an auto-increment number, then it seems a simple loop with ajax call in the console can empty your entire orders table. Probably not what you want. It might be more prudent to set a status flag to cancelled so that you recover more easily instead of just deleting data.

Finally, given that you do not have full protection for SQL Injection, I am assuming you will also have to read up on Cross Site Scripting.

When you wire the listeners, you can simply provide the functions you wrote, so that this

$("#new-order-btn").click(function () {
    new_order();
});
$("#delete-order-btn").click(function () {
    delete_order();
});

$("#list tbody tr").click(function () {
    select_row(this);
});

$("#submit-order").click(function () {
    submit_order(false);
});


becomes

$("#new-order-btn").click(new_order);
$("#delete-order-btn").click(delete_order);
//Undefined will translate to falsey, so `submit_order` will work
$("#submit-order").click(submit_order);
//You could do something with `bind` here
$("#list tbody tr").click(function () {
    select_row(this);
});


Which brings me to the point that JavaScript should really be written in lowerCamelCase so new_order -> newOrder, submit_order -> submitOrder etc.

Other than that, your JavaScript code is clean.

Code Snippets

$("#new-order-btn").click(function () {
    new_order();
});
$("#delete-order-btn").click(function () {
    delete_order();
});

$("#list tbody tr").click(function () {
    select_row(this);
});

$("#submit-order").click(function () {
    submit_order(false);
});
$("#new-order-btn").click(new_order);
$("#delete-order-btn").click(delete_order);
//Undefined will translate to falsey, so `submit_order` will work
$("#submit-order").click(submit_order);
//You could do something with `bind` here
$("#list tbody tr").click(function () {
    select_row(this);
});

Context

StackExchange Code Review Q#61086, answer score: 4

Revisions (0)

No revisions yet.