Add-cart.php Num -

Leo clicked through to the checkout table. The order hadn't been placed yet. But the cart's total? $1,197.00. The user had effectively bypassed the "max 1 per customer" rule without triggering a single alarm. Not a hack. Not an SQL injection. Just the ugly poetry of concurrency.

But for the last three nights, someone had been bending the rules.

He closed the file. He'd fix add-cart.php tomorrow.

Leo smiled. He opened a new terminal and manually reduced the three rows to one. Then he added a note to the user's account: "Loyal customer. Approved for second pair on next restock. Also, nice race condition." add-cart.php num

Leo leaned back in his creaking office chair, the glow of three monitors painting his tired face in pale blue light. He was the senior backend engineer for Velvet & Sole , a boutique online shoe retailer that had, against all odds, become a cult hit. Their signature "Dragonhide 7X" boot sold out in eleven minutes every restock.

Three requests. Same session ID. Same product SKU: DRN-7X .

He opened the source file: add-cart.php . Leo clicked through to the checkout table

Leo swore under his breath. No BEGIN TRANSACTION . No FOR UPDATE . Just two naïve queries and a prayer. The three simultaneous POSTs had each run the SELECT , seen an empty cart, and each fired an INSERT . Three rows. Same product.

Instead, he clicked over to the user's profile. gh0st_walker had been a member for four years. Bought three pairs of boots, left glowing reviews each time. Their last order was a size 11—the same size in the ghost cart.

Three separate line items for the same boot. Quantity: 1. Three times. $1,197

But he didn't type a single line.

<?php // Legacy code. No locking. No transactions. $product_id = $_POST['product_id']; $user_id = $_SESSION['user_id']; $quantity = 1; // default // Check if item exists in cart $result = $db->query("SELECT * FROM cart WHERE user_id=$user_id AND product_id=$product_id"); if($result->num_rows == 0) { $db->query("INSERT INTO cart (user_id, product_id, quantity) VALUES ($user_id, $product_id, $quantity)"); } else { $db->query("UPDATE cart SET quantity = quantity + $quantity WHERE user_id=$user_id AND product_id=$product_id"); } ?>

He pulled up the session data. User ID: gh0st_walk3r . Cart contents: 1x DRN-7X (size 11). Then the log showed the pattern: add, add, add. The PHP script was supposed to increment quantity. But this user was triggering a race condition—three identical requests arriving before the first one finished writing to the database.