How to close this "little" hole in my code?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
jessdk
Forum Newbie
Posts: 3
Joined: Tue Aug 22, 2006 12:36 am
Location: Denmark

How to close this "little" hole in my code?

Post by jessdk »

Hi,

I am programming a littel pice of web software there is running on internet explore and firefox.

The user may fill out a form and submit the form and it is working fine.
Now is my problem that the user can press "back" in IE and firefox and then submit the same form again and again.
How do I make a php code there can close this "little" hole in my code??

Best regards

Jess
User avatar
ronverdonk
Forum Commoner
Posts: 34
Joined: Sat Jun 10, 2006 7:06 am
Location: Netherlands

Post by ronverdonk »

This is not a so 'little' hole. You can have 2 reasons for preventing a double submit:

1. You don't want a user (or a web-robot) to be able to submit more times because it can flood you and is annoying.
2. you want to prevent it because e.g. an order has been placed and you don't want double orders.

1. use a captcha, that also assures you that is is a human being submitting and not a robot. When pressing back the captcha will re-generate, so the user must take action. It does not precent a malicious human to submit more then once, but at least that person has to re-type the captcha before each submit.
2. use a more robust way of setting a transaction identifier in the database, and checking at the next submit if that transaction has already been used.
jessdk
Forum Newbie
Posts: 3
Joined: Tue Aug 22, 2006 12:36 am
Location: Denmark

Post by jessdk »

Hi ronverdonk,

Thanks for you ansvser.

I use captcha in my script and when the form is submittet then the user must press a word generatet by Freecap and then press submit again and the form is submittet 100 % (I use FreeCap 1.41 (http://www.puremango.co.uk/cm_php_captc ... pt_113.php))
and now can the user press back and press a new word generatet by freecap and then submit the same form again :-((

Do you have any idea of how I can make this pice of "transaction identifier" it sound as a very good idea.

/Jess
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

Post by jmut »

jessdk wrote:Hi ronverdonk,

Thanks for you ansvser.

I use captcha in my script and when the form is submittet then the user must press a word generatet by Freecap and then press submit again and the form is submittet 100 % (I use FreeCap 1.41 (http://www.puremango.co.uk/cm_php_captc ... pt_113.php))
and now can the user press back and press a new word generatet by freecap and then submit the same form again :-((

Do you have any idea of how I can make this pice of "transaction identifier" it sound as a very good idea.

/Jess
let us assume you insert some stuff.
there are somethings that determine a record to be unique (except for and id).


for example we have these db columns. username,email
but there is also create_date


if you know there should be now two records with same username,email combination .......before insert you make select where username='form_data' and email='form_data'
If you have such record you have double post...if not ...go ahead and insert it.

P.S. ming sql injection. do not use form_data directly in sql query.
User avatar
ronverdonk
Forum Commoner
Posts: 34
Joined: Sat Jun 10, 2006 7:06 am
Location: Netherlands

Post by ronverdonk »

I have the code for the prevention of double submits using a transaction identifier. It comes from the book "PHP Hacks" (O'Reilly). According to the preface I can give you the code.

Because it is quite some code, I better not put it here in the forum, but can send it to your email.
Send a note with the address I should send it to, to my private message box.
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

Post by jmut »

ronverdonk wrote:I have the code for the prevention of double submits using a transaction identifier. It comes from the book "PHP Hacks" (O'Reilly). According to the preface I can give you the code.

Because it is quite some code, I better not put it here in the forum, but can send it to your email.
Send a note with the address I should send it to, to my private message box.
on which page is this?
User avatar
ronverdonk
Forum Commoner
Posts: 34
Joined: Sat Jun 10, 2006 7:06 am
Location: Netherlands

Post by ronverdonk »

Hack no. 55 (page 230).
User avatar
ronverdonk
Forum Commoner
Posts: 34
Joined: Sat Jun 10, 2006 7:06 am
Location: Netherlands

Post by ronverdonk »

I also found an entry at the Dutch PHP resource http://www.scriptsearch.com/cgi-bin/jump.cgi?ID=1796

Code: Select all

<?php 
function prevent_multi_submit($type = "post", $excl = "validator") { 
    $string = ""; 
    foreach ($_POST as $key => $val) { 
        // this test is new in version 1.01 to exclude a single variable 
        if ($key != $excl) { 
            $string .= $val; 
        } 
    } 
    if (isset($_SESSION['last'])) { 
        if ($_SESSION['last'] === md5($string)) { 
            return false; 
        } else { 
            $_SESSION['last'] = md5($string); 
            return true; 
        } 
    } else { 
        $_SESSION['last'] = md5($string); 
        return true; 
    } 
} 
/* example of use: 
if (isset($_POST)) { 
    if ($_POST['field'] != "" && strlen < 25) { // place here the form validation and other controls 
        if (prevent_multi_submit()) { // use the function before you call the database 
            mysql_query("INSERT INTO tabel..."); // or send a mail like... 
            mail($mailto, $sub, $body); 
        } else { 
            echo "The form is already processed"; 
        } 
    } else { 
        // your error about invalid fiels 
    } 
} */ 
?>
[/url]
jessdk
Forum Newbie
Posts: 3
Joined: Tue Aug 22, 2006 12:36 am
Location: Denmark

Thanks a lot

Post by jessdk »

Hi all,

Thanks a lot for you nice help I'm very glad for your information and I will use it all for my project.

Best regards

Jess
Post Reply