i have a script which works for adding user comments to database after form submission. Form needs to be fine-tuned but i can do it later (captcha, e-mail validity check, htmlentities etc).
In order to prevent form resend appearing problem i want to use the technique below that i found on web:
create a random string (a hash), which I stored in a session variable and echoed into a hidden <input> element in my form page.
Then, once the data had been submitted, I had my action page match the session variable to the value of the <input> element. If they matched, I unset the session variable and processed the form. If they didn't I simply redirected the user back to the form page.
I don't know how to do/where to put which code so can you help me to modify my simple comment script? As i read, i think taht critical keywords are hash & session
if i really have to split the action page please also describe that too. All DETAILED helps will be appreciated. (Non-critical texts in script is in Turkish)
best regards
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
note: this single-page script refers (action="") to itself. it is used for user comments for the articles
Code: Select all
<?php
if(isset($_POST['submit']))
{// submit yapildi ise - if submitted
// form gecerli sekilde dolduruldu mu?
if (!$_POST['nisim']) die('?sminizi yazmal?s?n?z.');
if (!$_POST['neposta']) die('Geçerli e-posta adresinizi yazmal?s?n?z.');
if (!$_POST['nyorum']) die('Yorum yazmal?s?n?z.');
//devamli yorum eklemeyi onlemek icin - user must wait 5min to comment again
$c = "SELECT ipadresi, max(yorumsaati) from dis_yorumonay WHERE ipadresi = '$_SERVER[REMOTE_ADDR]'";
$c2 = mysql_query($c);
while($rwo = mysql_fetch_row($c2)){
if (($rwo[1]-$_POST[nysaati])<300) die('son yorumunuz üzerinden 5dk geçmi? olmal?d?r.');
}
// yorumu veritabanina ekle - add comment to db
$sqlyrmekle = "INSERT INTO dis_yorumonay SET adsoyad='$_POST[nisim]', eposta='$_POST[neposta]',
yorum='$_POST[nyorum]', yazino='$_GET[id]', ipadresi='$_POST[nipadresi]', yorumtarihi='$_POST[nytarihi]', yorumsaati='$_POST[nysaati]', onaydurumu='bekliyor' ";
mysql_query($sqlyrmekle);
}
else
{ // submit yapilmadi ise - if not submitted
// varolan yorumlari goster
$qy = "SELECT * FROM dis_yorumonay WHERE yazino = '$id' && onaydurumu = 'olumlu' ORDER BY yorumtarihi DESC";
$qym = mysql_query($qy);
if(!$qym) die(mysql_error());
while($row = mysql_fetch_row($qym))
{
echo '<div id=\".$row[0].\">'."\n";
$yrm = $row[4]; echo '<p>'.$yrm."</p>\n";
$adsyd = $row[1]; echo '<p>'.$adsyd."</p>\n";
$trh = $row[5]; $saat = $row[6];
echo '<p>'.$trh.' [ '.$saat." ]</p>\n</div>\n";
}
}
?>
<div id="yorumformu">
<form method="post" action="<? echo '$siteurl/php/yazi.php?id='.$id ; //page refers itself ?>" enctype="multipart/form-data">
<fieldset>
<input type="hidden" name="nipadresi" value="<? echo $_SERVER['REMOTE_ADDR']; ?>" />
<input type="hidden" name="nytarihi" value="<? echo date("Y-m-d"); ?>" />
<input type="hidden" name="nysaati" value="<? echo time(); ?>" />
<table>
<tr>
<th>?sim:</th>
<td>
<div class="input"><input name="nisim" type="text" value="" /></div>
</td>
</tr>
<tr>
<th>E-posta:</th>
<td>
<div class="input"><input name="neposta" type="text" value="" /></div>
</td>
</tr>
<tr>
<th>Yorum:</th>
<td>
<div class="input"><textarea name="nyorum" cols="45" rows="6"></textarea></div>
</td>
</tr>
<tr><th></th><td><input name="submit" id="submit" class="submit" type="submit" value="Submit" /></td></tr>
</table>
</fieldset>
</form>
</div><!-- yorumformu sonu -->