Implementing Payment

When the user clicks the Purchase button, we will process her payment details using the process.php script. You can see the results of a successful payment in Figure 25.10.

Figure 25.10. This transaction was successful, and the items will now be shipped.

The code for process.php can be found in Listing 25.16.

Listing 25.16 process.php—The process.php Script Processes the Customer's Payment and Tells Her the Result

<?
  include ('book_sc_fns.php');
  // The shopping cart needs sessions, so start one
  session_start();

  do_html_header("Checkout");

  if($cart&&$card_type&&$card_number&&$card_month&&$card_year&&$card_name )
  {
    //display cart, not allowing changes and without pictures
    display_cart($cart, false, 0);

    display_shipping(calculate_shipping_cost());

    if(process_card($HTTP_POST_VARS))
    {
      //empty shopping cart
      session_destroy();
      echo "Thankyou for shopping with us. Your order has been placed.";
      display_button("index.php", "continue-shopping", "Continue Shopping");
    }
    else
    {
      echo "Could not process your card, please contact the card issuer or try again.";

      display_button("purchase.php", "back", "Back");
    }
  }
  else
  {
    echo "You did not fill in all the fields, please try again.<hr>";
    echo "<form action = 'purchase.php'method = post>";
    echo "<input type = hidden name = from value = process>\n";

    // pass the data this page received back so the user won't have to re-enter
    foreach($HTTP_POST_VARS as $name => $value)
      echo "<input type = hidden name = $name value = '$value'>\n";

    display_form_button("back", "Back");
    echo "</form>";
  }

  do_html_footer();
?>

The crux of this script is these lines:

					
if(process_card($HTTP_POST_VARS))
{
  //empty shopping cart
  session_destroy();
  echo "Thankyou for shopping with us. Your order has been placed.";
  display_button("index.php", "continue-shopping", "Continue Shopping");
}

				

As with other places where we directly refer to $HTTP_POST_VARS, you need to have track_vars enabled for this to work. We process the user's card, and, if all is successful, destroy her session.

The card processing function as we have written it simply returns true.

When you set up a live site, you will need to make a decision about what transaction clearing mechanism you want to use. You can

• Sign up with a transaction clearing provider. There are many, many alternatives here depending on the area you live in. Some of these will offer real-time clearing, and others won't. Whether you need live clearing depends on the service you are offering. If you are providing a service online, you will most likely want it; if you are shipping goods, it's less crucial. Either way, these providers relieve you of the responsibility of storing credit card numbers.

• Send a credit card number to yourself via encrypted email, for example, by using PGP or GPG as covered in Chapter 15. When you receive and decrypt the email, you can process these transactions manually.

• Store the credit card numbers in your database. We do not recommend this option unless you really, seriously know what you're doing with system security. You can read Chapter 15 for more details about why this is a bad idea.

That's it for the shopping cart and payment modules.