如何解决asp.net中的cookie问题

Question

I have a problem in asp.net. In shopping cart I use Cookies If I add a product 1st time to cart it will create a row of that product so if I click again on that button of same product I want that it only increases a quantity of that product and don't create a new row in cookies Here is my code

protected void btnAddtoCart_Click(object sender, EventArgs e)
{
Button obj = (Button)sender;
string id = obj.CommandArgument.ToString();
DataTable dt = d.select("select * from product where product_id="+id+"");
foreach (DataRow dr in dt.Rows)
{
product_id = Convert.ToInt32(dr["product_id"].ToString());
Product_name = dr["product_name"].ToString();
price = dr["price"].ToString();
image1 = dr["image1"].ToString();
}
quantity = 1;
if (Request.Cookies["Addtocart"] == null)
{
Response.Cookies["Addtocart"].Value = product_id.ToString() +" , "+ Product_name.ToString() + "," + price.ToString() + "," + quantity.ToString() + "," + image1.ToString();
Response.Cookies["Addtocart"].Expires = DateTime.Now.AddHours(1);
}
else
{
Response.Cookies["Addtocart"].Value = Request.Cookies["Addtocart"].Value +"|" + product_id.ToString() + " , " + Product_name.ToString() + "," + price.ToString() + "," + quantity.ToString() + "," + image1.ToString();
Response.Cookies["Addtocart"].Expires = DateTime.Now.AddHours(1);
}
}

Answer 1

You have several severe issues with this code.

First, your code is vulnerable to a SQL Injection attack. Your are concatenating strings to form your SQL query. What if someone manipulated the command argument on the button so that its value is 1; update products set price = 0; 1; update products set price = 0; ? They just managed to execute code on your system! The way we fix that is by using parameterized queries.

Another issue is that you are storing product pricing information in the client's cookie. Doesn't that sound dangerous? Any client with just a little know-how can modify their cookie so that all products cost $0. Instead, only store product ID and quantity in the cookie, then retrieve the product name and price yourself.

You've got a magic string in your code, "Addtocart". If you ever wanted to update that, you've got to change it in multiple places. Instead, create a constant for it, then reference that constant everywhere you need it. Then you'll only have one place where you need to update it.

DataTables are bad to use. They use up a lot of memory, they're difficult to work with, and just slower than using POCO's (Plain Old C# Objects) or "model" classes.

You're storing your data in the cookie in a custom format. That's going to be a pain in the ass to parse when you want to get the data back out of the cookie. Instead, use JSON or some other simple format.

You're storing product prices as strings. Don't do that! You can't do math with strings. When you work with money, use the decimal type.

Indent your code! It makes reading it much easier.

Here's your updated code fixing these issues:

First, we'll create a class that represents our product. Notice the price is of type decimal .

public class Product
{
    public string Id { get; set; }

    public string Name { get; set; }

    public decimal Price { get; set; }
}

This class will serve as a centralized location for retrieving data from our database about products.

public class ProductRepository
{
    private readonly string _connectionString;

    public ProductRepository(string connectionString)
    {
        _connectionString = connectionString;
    }

    public Product GetProductById(string productId)
    {
        using(var connection = new SqlConnection(_connectionString))
        {
            // I'm going to use Dapper here because it's super handy
            // https://github.com/StackExchange/Dapper
            var product = connection.QueryOne<Product>(
                @"select
                      Id,
                      Name,
                      Price
                  from
                      products
                  where
                      Id = @ProductId",
                new { ProductId = productId });

            return product;
        }
    }
}

These two classes will represent a particular product and quantity of that product that a user wants to purchase. This can be safely stored with the user as it doesn't contain price information.

public class CartItem
{
    public string ProductId { get; set; }

    public int Quantity {get; set; }
}

public class Cart
{
    public Dictionary<string, CartItem> Items { get; set; }

    public Cart()
    {
        Items = new Dictionary<string, CartItem>();
    }
}

This constant should be put in some central location.

public constant string ShoppingCartCookieName = "Cart";

Now for the actual logic of our page:

protected void btnAddtoCart_Click(object sender, EventArgs e)
{
    var addToCartButton = (Button)sender;
    // notice I don't call .ToString() below
    // because Button.CommandArgument is already a string
    var productId = addToCartButton.CommandArgument;            
    var cart = GetShoppingCartFromCookie();

    if(cart.Items.ContainsKey(productId)
    {
        //their cart already contained this product, so let's bump the quantity
        cart.Items[productId].Quantity += 1;
    }
    else
    {
        //their cart didn't contain this product, so we'll add it
        var cartItem = new CartItem { ProductId = productId, Quantity = 1 };
        cart.Items.Add(cartItem.ProductId, cartItem);                           
    }

    SaveShoppingCartToCookie(cart);
}

private void SaveShoppingCartToCookie(Cart cart)
{
    var cartJson = JsonConvert.SerializeObject(cart); //using Newtonsoft.Json
    Response.Cookies[ShoppingCartCookieName].Value = cartJson;
    Response.Cookies[ShoppingCartCookieName].Expires = DateTime.Now.AddHours(1);
}

private Cart GetShoppingCartFromCookie()
{
    if (Request.Cookies[ShoppingCartCookieName] == null)
    {
         return new Cart();
    }
    else
    {
        var existingCartJson = Response.Cookies[ShoppingCartCookieName].Value;
        // you may wish for some logic here to make sure the JSON can be converted
        // to a Cart since a user could have modified the cookie value.
        var cart = JsonConvert.DeserializeObject<Cart>(existingCartJson);            
        return cart;
    }
}

Notice that by the time I got done refactoring your add to cart logic, I didn't actually need to make a database call to obtain information about the product. So now it will run faster and be more efficient.