<form method="post" action="add-cart.php"> <input type="hidden" name="product_id" value="123"> <label>Quantity:</label> <input type="number" name="num" value="1" min="1" max="99"> <button type="submit">Add to Cart</button> </form>
add-cart.php is a backend script (typically written in PHP) that handles the logic of adding a product to a user's session-based shopping cart. The num (short for number or quantity ) part of the request indicates that the script expects to receive a specific quantity of an item, rather than defaulting to one.
Even if a negative number slips into the cart database, the final checkout script must enforce business rules:
Prevents friction and error pages at the final step of checkout. add-cart.php num
echo "Added " . htmlspecialchars($quantity) . " of " . htmlspecialchars($product['name']);
$product_id = isset($_POST['product_id']) ? (int)$_POST['product_id'] : 0; $quantity = isset($_POST['num']) ? (int)$_POST['num'] : 1;
Return JSON, redirect, or render a message. <form method="post" action="add-cart
// 4. Update cart session if (!isset($_SESSION['cart'])) $_SESSION['cart'] = [];
// In add-cart.php if (!hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) die("CSRF token validation failed.");
In these contexts, the script typically processes the addition of a specific item to a user's session-based or database-driven shopping cart: echo "Added "
The number of units the customer wants to add, often captured under the parameter name num or qty . How the Request Flows
Validate that the quantity is a positive integer and that the final price calculation on the server side is never affected by negative or zero values:
An attacker can send: add-cart.php?id=105&num=1 UNION SELECT password FROM admin_users --
header('Content-Type: application/json'); echo json_encode(['success' => true, 'message' => 'Product added', 'cart_count' => array_sum(array_column($_SESSION['cart'], 'quantity'))]);