There is a Google Group setup to discuss Google’s Checkout API only the group sucks. I have no patience to read though thousands of meaningless posts just to find what I’m looking for and sadly searching Google for help on their API is actually pretty tough.

Basically when you are working on the responsehandler.php file, the file that gets callbacks from Google on all kinds of notifications, it isn’t initially clear how you receive the data and then utilize it. Your variables wind up looking something like $data[$root]['shopping-cart']['merchant-private-data']['VALUE'] where $root is a case value switching between the different types of notifications you can receive, in this case it is new-order-notification.

The problem arises when you try and get all of the items out of the shopping cart. An item name for example is $data[$root]['shopping-cart']['items']['item']['item-name']['VALUE']. Now items occurs once in the hierarchy but each cart item is contained in the <item></item> tags. Simply put, in a DFD items:item would be labeled as 1:N.

What does the code to get this done look like? This:

We have all heard the stories, 18 year old child prodigy builds incredible online system only to be bankrupted by some bad apple through various SQL injection attacks. Well, maybe not so dramatic but still the thought of people being able to gain complete access to your database because of one small oversight is frightening to say the least.

How do SQL injections work? Let me give you an example, you have a script that updates a row in your database which may look something like this SELECT * FROM creditcard_data WHERE mycard='".$_REQUEST['mycardnumber']."'. The goal would be to only display my information to me not everyone else in the worlds. If in the text box we submitted the following 1234' OR '1234'='1 and didn’t escape our extra slashes we would come up with the following query SELECT * FROM creditcard_data WHERE mycard='1234' OR '1234'='1234'. This would return true for every row giving us every single credit card number in the table, and a similar attack would work equally well on an INSERT, DELETE or UPDATE query.

Now the question is, how do we prevent this? PHP has two built in functions addslashes() and stripslashes(), however you must add slashes to every incoming variable and strip the slashes off of every outgoing variable. Obnoxious, no? Have no fear, I have two functions which will take care of the you forgetting factor as well as the all important cleaner code factor. On the top of every page, include the following line of code do_slashes($_REQUEST) and this line of code to the array of output from your database undo_slashes($value).

Below are are my functions, enjoy!