SaranacLake
-
Posts
648 -
Joined
-
Last visited
Posts posted by SaranacLake
-
-
16 minutes ago, requinix said:
Yes. You can certainly tell people about the subscriptions, anywhere you want, but unless you're prepared to make changes to your store and product models, it's easier to keep it all separate.
Yes. It isn't impossible to add subscriptions to the store, but are you sure people will be looking at your online store for a subscription?
At the top of most pages on my site is a top menu bar, and sitting on top of that and to the far right there is a "Subscribe Now" button for users who aren't logged in or who are not yet members. (You get a "Renew Now" button 30 days before your subscription expires if you are logged in.)
Like this...
Then, at the right of my top menu I have a "Store" option - like where "video" is above.
Because of the close physical proximity, I can see a person navigating to either, although if you ONLY wanted to subscribe, then a button labeled "Subscribe Now" would be the place to go.
But in a larger sense, I have always seen my store"as a place to sell "Products" (e.g. books, T-shirts) and "Services" (e.g. subscriptions, podcasts, etc). And originally I thought it would be nice to have subscriptions in my store because MAYBE a person clicks on "Store" to check out books and then they see subscriptions as well, and they end up buying one or the other or both?! (Which ties back to my earlier statement of making it as easy as possible for customers to buy things...)
The goal is to have a store that is like Amazon.com in that it has everything you need - just obviously not that big!
16 minutes ago, requinix said:If you advertise the store as a place to buy goods then they might not think it's the same place to buy access to the website. If it features prominently as a purchase place, maybe they would.
Yeah.
16 minutes ago, requinix said:You could also not offer the subscription as a "product" but as something they opt into. You can keep the details of the subscription as a sort of hidden product that they cannot add to their cart - only your PHP code can do it, which it would when the user goes through your subscription page thing.
Well, when you choose "Subscribe Now", after they choose a subscription type, I do add it to the shopping cart, but in that flow I just go immediately to checkout, as my goal is to get their $$$ as soon as I can and get them their site access. Therefore, I don't add an obvious path to keep shopping, although technically I guess theyc ould. (Still think through all of the different paths you can take!)
The store is more intended to let people search and browse and hopefully add several things, including possibly a subscription. (If you are looking at books, and see that I offer subscriptions, I had originally thought it a good idea to let people buy things in ONE stop. (I just don't want to allow people to buy multiple subscriptions in one sitting - which mainly ties back to my other thread where I am still leaning towards limiting accounts to a credit card. And even if I did allow that, it is illogical to let 5 people all set up individual accounts at once, because that just isn't how it works most times in real life!)
16 minutes ago, requinix said:Treating the subscription as a product means you have to add a concept of conflicting products to your store. That might be useful for other things, I don't know, but if not then you're creating a lot more complexity for only one thing.
Well, I just spent the last few days how to do super/subtypes in MySQL, so my website will scale to sell anything from subscriptions to books to tractors or music or pizza!
-
11 minutes ago, requinix said:
No, but I don't think you should include subscriptions in the store.
A subscription is access to the site or whatever. The online store is for products. They are not the same thing.
I wondered about that.
So me trying to be helpful to my potential customers, apparently not only creates a pain for me from a design standpoint, but you are saying really isn't necessary, eh?
That would definitely be easier, it's just that I had always heard, "Don't tell customers how to buy things from you, just allow them to shop and purchase as they like."
-
2 minutes ago, Barand said:
Here we go again..
We tell you how it should be done then get involved in several pages of posts by you telling us you don't want to do it that way.
I have *never* posted anything about the above question until now! So what are you talking about?
2 minutes ago, Barand said:I'll pass. JFDI.
(BTW, what did you think of MySQL Workbench - or is your motto "Procrastinate now!")
Clearly you've developed some deep-seated anger towards me, which is a surprise, because you've been very helpful in the past.
If I upset you so much, then best to skip my threads moving forward...
-
I am working on the e-commerce portion of my website that sells online subscriptions, books, gear, etc.
My desk is covered with ERD's right nw, and I thought I had things pretty much figured out, but discovered a curve ball...
Originally for subscriptions, I did this...
SUBSCRIPTION_DETAILS - id - member_id - plan_id - purchased_on - subscription_start_date - subscription_end_date - purchase_price and so on...
But after I mapped out the tables related to ordering (i.e. MEMBER, ORDER, ORDER_DETAILS, PRODUCT) it occurred to me that I have two annoying issues...
Issue #1:
Some of the fields in SUBSCRIPTION_DETAILS really could be moved, for example...
subscription_details.purchased_on ===> order.ordered_on
subscription_details.purchase_price ===> order_details.purchase_price
Issue #2:
Currently I have no linkage between my ORDER and SUBSCRIPTION_DETAILS.
Questions:
a.) Would it be the end of the world to have duplicate fields and when a person subscribes, just write the fields in Issue #1 to two places? (The ORDER / ORDER_DETAILS tables help keep track of a purchase. And the SUBSCRIPTION_DETAILS table help s keep track of members' subscriptions. They are related in some ways, yet moreso separate.)
I could move those fields to one place as mentioned above, but then that makes querying things to calculate things like renewal costs and stuff a real PITA.
I could also put an "Order_No" in the SUBSCRIPTION_DETAILS table as a cross-reference, but again, that makes querying things a lot more work. (I have a fairly elaborate way of calculating subscription and renewal pricing, which is why I subconsciously put all of those fields originally in my SUSBCRIPTION_DETILS table!
-
OMG! Crafting well thought out business logic is such a PITA sometimes!
I am working on an ecommerce site that sells subscriptions, books, gear, etc.
Similar to a lot of online newspapers, I have a "Subscribe" button in my website mast where people can buy a subscription.
After clicking on that button, the user is first presented with different subscription offers (e.g. sliver, gold, platinum), and then I have a one-page checkout form where they create an account - kind of important for an online subscription! - and they pay with a credit card. Easy!
Trying to be a nice guy, I decided to add the ability to choose a subscription from my online store as well. (Presumably you want to offer as many ways for people to buy things from you as possible, right?)
Well here is the issue I just discovered...
What happens if a person is browsing through my product catalog, and they add multiple subscriptions to their shopping cart?
Of course I would welcome the extra $$$, but I just realized that would break how people create their accounts and pay, because above I assume that ONE person, buys ONE subscription and pays for it in ONE transaction.
So my questions is, "Would it be a mortal sin to limit people to buying only ONE subscription at a time if they do so while in my online store?"
I would hope that people would get that, but as we know, users do some crazy stuff!!
In fairness, if you went to buy a subscription at the Wall Street Journal or any other large newspaper/magazine, you would be forced to do one subscription per transaction. I am just wondering what happens if someone goes on a shopping spree in my online store, buys several books, some t-shirts, and decides he/she also wants to buy 5 subscriptions on the spot.
Thoughts?
-
13 minutes ago, kicken said:
I usually use it when dealing with mysql databases, but that's not very often.
So what do you use?
13 minutes ago, kicken said:I'm not sure what you're expecting to do from it. It's fairly easy to setup and get connected to a DB so you can run queries and look through your tables and data. It has some design tools to help plan and diagram your database and the relationships between tables which take a little more effort to learn, but that's only if you want to use them.
Well the main thing I would like moving forward is the ability to create ERDs.
Right now I am drawing out my entire system on paper, which is fine, but when you have 50-100 tables, and you want to be able to quickly see a topology of your whole data model, I am thinking having a data modeling tool would be better.
There would also be the benefit, in theory, or forward and reverse-engineering from your ERDs.
13 minutes ago, kicken said:I haven't used phpMyAdmin in a long time so I'm not sure I could really compare the two, but I personally prefer having the separate desktop application like Workbench over a web app like phpMyAdmin.
To use Workbench you need to be able to connect to the database server directly or via an SSH tunnel.
Well, locally for dev I use MAMP.
So how hard would it be to hook up Workbench to point to my MAMP instance? (And are there any security consdierations?)
13 minutes ago, kicken said:On shared hosting that may or may not be possible, which is why many of them provide something like phpMyAdmin. For your own private server it shouldn't be a problem.
Well, I have a VPS,on I believe that cPanel comes with a way to interface with MySQL - it could very well be phpMyAdmin, but I forget.
And since you bring this up, do you have any advice and a "workflow" for how I should work moving forward?
Because I do not have a live business/website yet, I can just do everything locally on my laptop using MAMP. But moving forward, I will need to find an easy way to take what I have on my laptop in MAMP and promote it to production on my VPS. (That could probably be a thread or two on its own!)
Any suggestions?
-
Does anyone have experience using MySQL Workbench?
I have been using phpMyAdmin to manage my database, but know that this application seems to draw lots of hatred from people?! 😮
If setting up and learning how to use Workbench is going to take LOTS of time, then I will save it for v2.0 of my website which is almost done.
But if it is super easy to install and use, then I am thinking it might be worth it, since the e-commerce portion of my website has lots of tables, and I would like a way to visualize things - which phpMyAdmin doesn't really offer.
Thoughts?
-
4 minutes ago, benanamen said:
Ok, so a subscription _ types lookup table with subscription_type_id, subscription_type_description
Then in data table you have subscription_type_id keyed to the lookup table.
Why do you do this?
I ask a specific question, and now you are giving me data modeling lessons?
Stop twisting what I asked for into something it's not.
-
23 minutes ago, benanamen said:
Seems to me it would be better to have contract_start and contract_end date columns. If you will be needing historical data then you would have a table for storing each term start/end dates keyed to the user_id.
You will also gain a lot of flexibility with being able to do date calculations and Analytics.
Wrong concept.
Not the start and end date of a specific contract.
The term of a generic contract.
Think "annual subscription", "one-month trial", etc.
-
Is it necessary to have the units of measurement in a column name?
I want to add the column "contract_term" to my table, but it will store things in terms of MONTHS, so an annual membership would have a value of 12. (This is easier than needing a second column for units or dealing with decimals.)
I could have "contract_term_mths" but that sorta looks weird.
Thoughts?
-
4 minutes ago, kicken said:
Because those are the name/value pairs for the form. Every form is going to have something different there. The one in my image is from a XHR request that this site uses to check for new replies to a thread.
Aha.
4 minutes ago, kicken said:Yes.
That example doesn't need break points, it's a simple form where you'd just modify the DOM with the inspector tool like you mentioned above. Find the <input> tag you want to change and modify it's value attribute.
Okay.
(So if user went to an e-commerce site that just submitted the product_price to the server and had no validation (e.g. <> 0), then he/she could get a hell of a deal on something, right?)
4 minutes ago, kicken said:The school's website used a JS library to scan a QR code using a webcam and took then made an XHR request with the data to perform the login. That type of situation is where you need to use break points and it's done via the Debugger tab in the XHR Breakpoints panel. Click the + to add one and enter some URL text to stop on.
Okay. Since I don't know Javascript, I guess that doesn't mean much to me right now, but hopefully some day it will?!
4 minutes ago, kicken said:You probably saw it in the Cookies panel. Like everything else, there's nothing to stop someone from modifying that value to whatever they want. Like the product ID though, it doesn't matter much if they do. Most likely whatever they change it to would be invalid and just result in them starting a new session. If they did happen to change it to another valid session ID then they'd inherit that session. This is why session IDs need to be long, random and should not shared.
So, presumably, PHP's choice of session variable length is sufficiently long to prevent that issue, right?
Are there other things you can do to protect session data?
And would using https help in any way?
-
37 minutes ago, kicken said:
Click on the request and it will open all the details in a side panel. One of the tabs of that panel is Params that shows the data that was submitted. There's lots of other info in the other panels that may be useful too.
That depends a bit on how things are setup and what you want to do.
Okay, I see that now, but I don't have a do/type/lastSessID/csrf key.
I just see hidden_field
37 minutes ago, kicken said:Firefox has an Edit and Resend button you can use to craft a new request. This just sends the request and shows the response in the dev tools, it won't cause the page to change or trigger and result processing in javascript.
If I change the <input value== > using the Inspector and resubmit the form, then I assume it would submit that new value to the server, right?
37 minutes ago, kicken said:If the form is a standard HTML form, just inspect it in the dom and modify the values then submit it.
I looked under DOM, but there were tons of attributes and things seem to repeat several times - it was impossible to fugure out what was of value or where to change things!
37 minutes ago, kicken said:In the case of the schools site, the request was done via XHR so I set a break point on XHR requests (Debugger -> XHR Breakpoints) to find where the request originated from, then set another break point before the XHR request so I could modify the variables used to generate the request.
How would I add a breakpoint and mimic what you did on your niece's school site on the code @maxxd provided?
(I know how to step though my PHP using NetBeans, but not in Firefox Dev Tools.)
37 minutes ago, kicken said:No where in particular. It's just something you learn to do after being a web developer for years.
I thought maybe you were an ethical hacker or something?
Also, I thought when I was poking around - forget where now - that I saw the Session ID.
What is to stop a user or hacker from screwing with that?
-
11 minutes ago, kicken said:
If you go to the network tab of the dev tools and look at the requests it will show you exactly what was submitted by the form. Nothing on the client side of things is safe from tampering.
I went under Firefox > Developer Tools > Network and then I clicked the "Submit Query" button on my form and Firefox shows a POST and a GET method.
Where do I go to see what was submitted?
And how would I change that?
11 minutes ago, kicken said:I used all these tools/techniques a couple weeks ago to "hack" my way into my nieces school platform as their javascript QR code reader wasn't working and that's the only way she had to log in. I submitted a few bad login attempts with the dev tools open to see how they were submitting the data. After that I scanned her QR code with my phone to get the data then used the dev tools to change the data prior to submission so it was correct and get her logged in.
So where did you learn how to do that?
-
12 hours ago, maxxd said:
Load the script into your browser and click the submit button; see where 'not set' changes to 'originally set!'? Groovy - now, open your developer tools from the browser and select the field with the 'hidden_field' name attribute and change the value attribute on that field to 'hacked, yo!'. Now click the submit button again. Without any sort of validation or server-side checking, the form happily passes 'hacked, yo!' to the processing script, and if that script processed a product price the user could easily change it to 0.00 or less.
Just tried this out, and that is pretty cool!! 😃
So you can edit the HTML with Firefox's Developer Tools, but is there a way to fiddle with the PHP? (Presumably not, because the PHP is on the server...)
Also, is there a way to reset the $_POST variable?
12 hours ago, maxxd said:*edit* If they mess with the product ID.... well, honestly who cares? They'll just end up paying the correct price and getting a different product. It doesn't really help them out at all.
So with this hack, they can alter what information gets submitted in the form, but it's not like they can read what was submitted, right?
-
9 minutes ago, maxxd said:
Load the script into your browser and click the submit button; see where 'not set' changes to 'originally set!'?
Groovy - now, open your developer tools from the browser and select the field with the 'hidden_field' name attribute and change the value attribute on that field to 'hacked, yo!'.
Now click the submit button again. Without any sort of validation or server-side checking, the form happily passes 'hacked, yo!' to the processing script, and if that script processed a product price the user could easily change it to 0.00 or less.
I don't have access to my dev environment right now, but it sounds like you are saying that in Firefox Developer Tools I would be able to see all of the HTML form elements in the tool?
Because if a field is "hidden" you wouldn't be able to see it on the actual form.
Is that what you are saying?
(I'll try your example later, just wanted to clarify while you are here.)
9 minutes ago, maxxd said:*edit* If they mess with the product ID.... well, honestly who cares? They'll just end up paying the correct price and getting a different product. It doesn't really help them out at all.
Yeah, good point.
Is there a way to make it so they cannot discover things like the "product_id" in a hidden field?
Any ways to protect things better?
-
6 minutes ago, maxxd said:
Pass a product ID and quantity to the order form, then get the product price from the database and calculate the total price at that point. These fields should both be visible to the user. You can use a hidden honeypot or nonce field if you really want to, but if you're charging money I'm not sure many bots would actually pay for something at random (though I could be wrong so don't quote me on that).
I'm sorry I'm asking such newbie questions, but I have even forgotten HTML?!
As I recall, when you submit an HTML form, each field/control have a "name=" attribute, right?
So if your had a form with "First Name" and "Last name", then you'd have two fields, each with it's own "name=" right?
In this case, I guess I might have a text-box where the user would enter a "Quantity" so that will have a "name=", right?
And then there will be my "Add to cart" button. Now does that have a "name=" as well where I can pass the "Product ID" or would I need to use a hidden field to help pass the "Product ID"?
(I'm not trying to decive the customer, I am just trying to recall how and where to pass the values so they show up in my $_POST array.
6 minutes ago, maxxd said:The only time you should deal with the price on the server-side (other than for output purposes) is when the order is being completed - you need to make sure the user doesn't use the developer tools to change the price during the sale, but once the sale is made you need to track how much the product cost at the time of the purchase in case the price changes in the future (which it will).
Can you explain a little more how they would do that if I had a hidden "Price" field? (Not trying to be a hacker, just to understand how hackers would take over!)
Also, if a user or hacker could manipulate a hidden "Price" field, then couldn't they do the same thing with the "Product ID"?
-
The only time I need to use a hidden HTML field is if I have to submit multiple values or some special value related to the form itself, rigt?
So I think I can just submit the "price_id" using the name= in the HTML form control and that will get passed with my $_POST array, right?
(Sorry, I have been away from all of this for like 4 years!!)
-
I guess when the user chooses a product and clicks "Add to Cart" it would be better to send a "product_id" instead, right?
-
I am getting ready to code my e-commerce module, and could use some helping figuring out how to submit the product price.
On the product details page, if I have a button called "Add to Cart", would I want to use a hidden HTML field to submit the "product_price"?
-
15 minutes ago, requinix said:
Is it, though? Always a link? And always coming from your website?
Okay, I see.
15 minutes ago, requinix said:It's easier to just write /?, but yes.
Okay.
15 minutes ago, requinix said:Spend some time learning about canonical URLs and what they mean to search engines.
Oh, right. I remember those now. I see your point.
15 minutes ago, requinix said:Nope. I wanted you to describe, in technical detail, exactly how mod_rewrite is going to match a URL like /shop/movies/and/more/ against your regex. To understand what it's doing and what your syntax actually translates into.
True, but my point was that the category should probably just have been "movie". Right? The .+ matched everything up to the end, and not just the portion up to the next slash.
I think you missed the end of my last response...
Are you hinting at...
RewriteRule /shop/([^/]+)(/)?$ /shop/product-catalog.php?category=$1 [L, QSA]
I think that addresses your concern about "/movie/and/something/else/", right?
-
14 minutes ago, requinix said:
Pretty good, but there's a couple things I should point out:
1. You require a trailing slash at the end of the path. You should make that optional (it's not significant to the meaning of the URL)
If the URL is always coming from a hyperlink then is it much concern? (I don't expect people to type in the URL, although they could.)
Are you wanting something like this?
RewriteRule /shop/(.+)(/)?$ /shop/product-catalog.php?category=$1 [L, QSA]
14 minutes ago, requinix said:and then enforce the canonical version (presumably with a slash) in code.
Not sure I understand what you mean here...
14 minutes ago, requinix said:2. .+ will match as much as it possibly can. What will happen if the pattern tries to match against /shop/movies/and/more/ ?
A period (.) means "any character".
A plus sign (+) means "one or more".
Is your problem with requiring at least one character?
Well, there is no category for "movie/and/more"
Are you hinting at...
RewriteRule /shop/([^/]+)(/)?$ /shop/product-catalog.php?category=$1 [L, QSA]
-
22 minutes ago, requinix said:
Spend a minute reminding yourself about how URLs work.
Learn about mod_rewrite's [QSA] flag.
How about this...
Pretty URL:
/shop/movies/?view=listing
QuoteRewriteRule /shop/(.+)/$ /shop/product-catalog.php?category=$1 [L, QSA]
-
9 minutes ago, requinix said:
Right. The path portion identifies a particular thing. "Resource". Like the page that shows a category is a resource, and the page showing a particular product is a resource. If you want to change how that source is presented then stick it in the query string.
Okay, but i'm a little sure of the syntax to apply your suggestions.
Pretty URL:
/shop/movies/?view=listing
Do I need an ampersand (&) here instead of a question mark (?)
Ugly URL:
/shop/product-catalog.php?category=movies&view=listing
And not sure about the mod_rewrite...
RewriteRule /shop/(.+)/________ /shop/product-catalog.php?category=$1&view=$2 [L]
How do I get ?view=listing into variable $2??
-
4 minutes ago, requinix said:
Yes. It's all much easier if you can set a pattern and use it for one specific purpose. /shop/thing browses a category, /shop/thing/thing shows an item in that category. You don't have to do any complicated logic about whether any part is a particular keyword and then have to change what the page does. Don't have to set up multiple URL rewriting rules to handle different exceptions to each pattern.
So if I am going to do pretty URLs, then save them for where things are organized much like a filing system?
And then leave things like sorting, filtering, product attributes for the query string?
Limiting Subscriptions
in PHP Coding Help
Posted · Edited by SaranacLake
Well, my site is built like an online newspaper like the NYT where 60%+ of the site requires a subscription to access "premium content" so it's not segmented quite like you're saying where there would just be one section where subscriptions would apply. However, if you try to access "premium" content (e.g. exclusive interview), I certainly will throw up a way to buy a subscription, though.
Just to I understand, are you against putting subscriptions in the store because a.) it's confusing, b.) people won't take advantage of it, or c.) it will create a lot of extra work?
Fwiw, subscriptions are already designed into the store, and I could just limit things to one subscription per checkout which wouldn't be too much extra work. Then it is there to cross-sell, and limiting one subscription will make things much easier as far as my design.
Also, because you may be wondering, I am planning to offer gift cards and gift subscriptions, so in that case, people can buy as many as they want. (I still have to design this part.)