Assign each coupon code a unique identifier and track its usage. Once a code has been redeemed, mark it as used in the database. Never rely on session variables or cookies alone to track usage.
// Database connection using PDO $stmt = $dbh->prepare("SELECT * FROM tblcoupons WHERE CouponCode = :code AND Status = 1 AND ExpiryDate >= CURDATE()"); $stmt->bindParam(':code', $coupon_input); $stmt->execute(); $coupon = $stmt->fetch(PDO::FETCH_ASSOC); if ($coupon) if ($coupon['used_count'] < $coupon['usage_limit']) // Apply discount logic here $discount = ($coupon['type'] == 'percentage') ? ($total * $coupon['value'] / 100) : $coupon['value']; $final_price = $total - $discount; else echo "Coupon usage limit reached."; else echo "Invalid or expired coupon."; Use code with caution. Copied to clipboard 4. Best Practices for PHPGurukul Projects phpgurukul coupon code patched
Instead of passing discount amounts through the user's browser, the patched code stores coupon data securely in server-side sessions ( $_SESSION ). Assign each coupon code a unique identifier and
Because the server trusted the total_amount sent from the client-facing form, attackers could alter the total price of an item to $0.01 or a negative number before submitting the coupon form. $coupon = $stmt->fetch(PDO::FETCH_ASSOC)