I am trying to create a landing page for our company which runs on Magento Enterprise Edition 1.13. We use CMS pages for our landing pages and in the past we have been able to create custom add-to-cart buttons directly on the CMS page. It was very simple in fact, we would create a button and send the button to this URL endpoint:
<button class="button btn-cart" title="Add to Cart" onclick="setLocation('/n/magento/checkout/cart/add/product/644/qty/1')" type="button"><span><span>Add to Cart</span></span></button>
It was nice and simple and allowed us to really engage our visitors with awesome landing pages and the ability to add products to cart without leaving this highly optimized page.
You can read a StackOverflow post about the OLD way to do it here: Placing "Add to cart" button on homepage in Magento
However, this no longer works in Magento EE 1.13 according to Magento themselves.
I contacted our Magento support and explained to me that the syntax had changed, now requiring you to put your security hash in the URL. This seemed like a security concern to me, so I questioned it. I was then responded to stating that the security flaw was added to prevent developers from using this anymore without compromising their site. Essentially they are discouraging use of this. They said:
My developer indicated that the ability to add a product to the cart via a direct URL wasn't an intended functionality in Magento, and so the addition of the form_key value was meant to prevent its further use with the upgrade to 1.13.
So my question for all of you, is that if somoene wanted to create add-to-cart buttons on a CMS page, in order to add products without needing to send someone to a product page (where they would no longer be on our optimized landing page), how would I go about doing this?
Is there a way in Magento 1.13 to add a product to cart with a custom button that could be placed in custom HTML within a CMS page? Can this be done with a static block or widget? We really relied on this feature and are now questioning the purpose of Magento EE's $18K a year pricetag with this feature taken away. Please help, thanks!
There is a way to modify magento code to allow adding products to shopping cart without form key.
I will post the solution, but anyway I want to warn you that removing form key validation will enable CSRF attacks on your customers!
You need to edit app\code\core\Mage\Checkout\controllers\CartController.php
Find next piece of code:
public function addAction()
{
if (!$this->_validateFormKey()) {
$this->_goBack();
return;
}
Comment first 3 lines of this function:
public function addAction()
{
//if (!$this->_validateFormKey()) {
// $this->_goBack();
// return;
//}
Now it is possible to use static links.