Back button problem: PHP-to-MySQL form
Posted: Fri Oct 18, 2002 1:29 am
Hi to everyone,
i am developing a MySQL / PHP based website with a superuser level to define workflows, objects etc. and different GUI's for 'normal' users to add, alter or to delete content to/from the DB's. Its all working fine except the back button problem.
To alter a data record, the user has to select the record from a list and to hit a link like
Afterwards, he gets a form with all the DB stuff related to this record:
When finished working, the form is sent to a PHP script which does
and displays the changes he made. BUT: if he then hits the back button, $aid is lost and a DoS attack on apache logs starts
... has anyone an idea how i can effectively bar the user from hitting the back button?
Thanx in advance, the_wolf
i am developing a MySQL / PHP based website with a superuser level to define workflows, objects etc. and different GUI's for 'normal' users to add, alter or to delete content to/from the DB's. Its all working fine except the back button problem.
To alter a data record, the user has to select the record from a list and to hit a link like
Code: Select all
<?php
change.php3?department=$department&aid=$id
?>Code: Select all
<?php
$LANG = 'en';
$department = $_GETї"department"];
$aid = $_GETї"aid"];
$hostname = "localhost";
$username = "xxx";
$password = "xxx";
$dbName = "DBsomewhat";
$userstable = "tablesomewhere";
MYSQL_CONNECT($hostname,$username,$password) OR DIE("Database connection failed.");
@mysql_select_db("$dbName") or die("Database not found.");
$query = "SELECT id, l01, ..., l44 FROM $userstable WHERE id = '$aid'";
$erg = MYSQL_QUERY($query);
$numrows = MYSQL_NUM_ROWS($erg);
if ($numrows > '0') {
$i = 0;
$id = mysql_result($erg,$i,"id");
$l01 = mysql_result($erg,$i,"l01");
$l02 = mysql_result($erg,$i,"l02");
#a lot more
$l43 = mysql_result($erg,$i,"l43");
$l44 = mysql_result($erg,$i,"l44");}
else {}
?>
<FORM ACTION>...</FORM>Code: Select all
<?php
$LANG = 'en';
$department = $_POSTї"department"];
$aid = $_POSTї"aid"];
$l01 = $_POSTї"l39"];
$l02 = $_POSTї"l40"];
# a lot more
$l43 = $_POSTї"l33"];
$l44 = $_POSTї"l43"];
$hostname = "localhost";
$username = "xxx";
$password = "xxx";
$dbName = "DBsomewhat";
$userstable = "tablesomewhere";
MYSQL_CONNECT($hostname,$username,$password) OR DIE("Database connection failed.");
@mysql_select_db("$dbName") or die("Database not found.");
$dquery = "DELETE FROM $userstable WHERE id='$aid'";
$derg = MYSQL_QUERY($dquery);
$query = "INSERT INTO $userstable (l01, l02, ..., l43, l44) ";
$query=$query."VALUES('$l01', '$l02' ..., '$l43', '$l44')";
$erg = MYSQL_QUERY($query);
?>and displays the changes he made. BUT: if he then hits the back button, $aid is lost and a DoS attack on apache logs starts
Thanx in advance, the_wolf