open: system/library/cart.php replace with
Here is the code to do it. try it and comment if you got error.
Prepared statement and parameterized queries. prevent the sql injections full post at nextun blog