How to close this "little" hole in my code?
Moderator: General Moderators
How to close this "little" hole in my code?
Hi,
I am programming a littel pice of web software there is running on internet explore and firefox.
The user may fill out a form and submit the form and it is working fine.
Now is my problem that the user can press "back" in IE and firefox and then submit the same form again and again.
How do I make a php code there can close this "little" hole in my code??
Best regards
Jess
I am programming a littel pice of web software there is running on internet explore and firefox.
The user may fill out a form and submit the form and it is working fine.
Now is my problem that the user can press "back" in IE and firefox and then submit the same form again and again.
How do I make a php code there can close this "little" hole in my code??
Best regards
Jess
- ronverdonk
- Forum Commoner
- Posts: 34
- Joined: Sat Jun 10, 2006 7:06 am
- Location: Netherlands
This is not a so 'little' hole. You can have 2 reasons for preventing a double submit:
1. You don't want a user (or a web-robot) to be able to submit more times because it can flood you and is annoying.
2. you want to prevent it because e.g. an order has been placed and you don't want double orders.
1. use a captcha, that also assures you that is is a human being submitting and not a robot. When pressing back the captcha will re-generate, so the user must take action. It does not precent a malicious human to submit more then once, but at least that person has to re-type the captcha before each submit.
2. use a more robust way of setting a transaction identifier in the database, and checking at the next submit if that transaction has already been used.
1. You don't want a user (or a web-robot) to be able to submit more times because it can flood you and is annoying.
2. you want to prevent it because e.g. an order has been placed and you don't want double orders.
1. use a captcha, that also assures you that is is a human being submitting and not a robot. When pressing back the captcha will re-generate, so the user must take action. It does not precent a malicious human to submit more then once, but at least that person has to re-type the captcha before each submit.
2. use a more robust way of setting a transaction identifier in the database, and checking at the next submit if that transaction has already been used.
Hi ronverdonk,
Thanks for you ansvser.
I use captcha in my script and when the form is submittet then the user must press a word generatet by Freecap and then press submit again and the form is submittet 100 % (I use FreeCap 1.41 (http://www.puremango.co.uk/cm_php_captc ... pt_113.php))
and now can the user press back and press a new word generatet by freecap and then submit the same form again
(
Do you have any idea of how I can make this pice of "transaction identifier" it sound as a very good idea.
/Jess
Thanks for you ansvser.
I use captcha in my script and when the form is submittet then the user must press a word generatet by Freecap and then press submit again and the form is submittet 100 % (I use FreeCap 1.41 (http://www.puremango.co.uk/cm_php_captc ... pt_113.php))
and now can the user press back and press a new word generatet by freecap and then submit the same form again
Do you have any idea of how I can make this pice of "transaction identifier" it sound as a very good idea.
/Jess
let us assume you insert some stuff.jessdk wrote:Hi ronverdonk,
Thanks for you ansvser.
I use captcha in my script and when the form is submittet then the user must press a word generatet by Freecap and then press submit again and the form is submittet 100 % (I use FreeCap 1.41 (http://www.puremango.co.uk/cm_php_captc ... pt_113.php))
and now can the user press back and press a new word generatet by freecap and then submit the same form again(
Do you have any idea of how I can make this pice of "transaction identifier" it sound as a very good idea.
/Jess
there are somethings that determine a record to be unique (except for and id).
for example we have these db columns. username,email
but there is also create_date
if you know there should be now two records with same username,email combination .......before insert you make select where username='form_data' and email='form_data'
If you have such record you have double post...if not ...go ahead and insert it.
P.S. ming sql injection. do not use form_data directly in sql query.
- ronverdonk
- Forum Commoner
- Posts: 34
- Joined: Sat Jun 10, 2006 7:06 am
- Location: Netherlands
I have the code for the prevention of double submits using a transaction identifier. It comes from the book "PHP Hacks" (O'Reilly). According to the preface I can give you the code.
Because it is quite some code, I better not put it here in the forum, but can send it to your email.
Send a note with the address I should send it to, to my private message box.
Because it is quite some code, I better not put it here in the forum, but can send it to your email.
Send a note with the address I should send it to, to my private message box.
on which page is this?ronverdonk wrote:I have the code for the prevention of double submits using a transaction identifier. It comes from the book "PHP Hacks" (O'Reilly). According to the preface I can give you the code.
Because it is quite some code, I better not put it here in the forum, but can send it to your email.
Send a note with the address I should send it to, to my private message box.
- ronverdonk
- Forum Commoner
- Posts: 34
- Joined: Sat Jun 10, 2006 7:06 am
- Location: Netherlands
- ronverdonk
- Forum Commoner
- Posts: 34
- Joined: Sat Jun 10, 2006 7:06 am
- Location: Netherlands
I also found an entry at the Dutch PHP resource http://www.scriptsearch.com/cgi-bin/jump.cgi?ID=1796
[/url]
Code: Select all
<?php
function prevent_multi_submit($type = "post", $excl = "validator") {
$string = "";
foreach ($_POST as $key => $val) {
// this test is new in version 1.01 to exclude a single variable
if ($key != $excl) {
$string .= $val;
}
}
if (isset($_SESSION['last'])) {
if ($_SESSION['last'] === md5($string)) {
return false;
} else {
$_SESSION['last'] = md5($string);
return true;
}
} else {
$_SESSION['last'] = md5($string);
return true;
}
}
/* example of use:
if (isset($_POST)) {
if ($_POST['field'] != "" && strlen < 25) { // place here the form validation and other controls
if (prevent_multi_submit()) { // use the function before you call the database
mysql_query("INSERT INTO tabel..."); // or send a mail like...
mail($mailto, $sub, $body);
} else {
echo "The form is already processed";
}
} else {
// your error about invalid fiels
}
} */
?>Thanks a lot
Hi all,
Thanks a lot for you nice help I'm very glad for your information and I will use it all for my project.
Best regards
Jess
Thanks a lot for you nice help I'm very glad for your information and I will use it all for my project.
Best regards
Jess