Page 1 of 1
How to close this "little" hole in my code?
Posted: Tue Aug 22, 2006 4:46 am
by jessdk
Hi,
I am programming a littel pice of web software there is running on internet explore and firefox.
The user may fill out a form and submit the form and it is working fine.
Now is my problem that the user can press "back" in IE and firefox and then submit the same form again and again.
How do I make a php code there can close this "little" hole in my code??
Best regards
Jess
Posted: Tue Aug 22, 2006 4:57 am
by ronverdonk
This is not a so 'little' hole. You can have 2 reasons for preventing a double submit:
1. You don't want a user (or a web-robot) to be able to submit more times because it can flood you and is annoying.
2. you want to prevent it because e.g. an order has been placed and you don't want double orders.
1. use a captcha, that also assures you that is is a human being submitting and not a robot. When pressing back the captcha will re-generate, so the user must take action. It does not precent a malicious human to submit more then once, but at least that person has to re-type the captcha before each submit.
2. use a more robust way of setting a transaction identifier in the database, and checking at the next submit if that transaction has already been used.
Posted: Tue Aug 22, 2006 5:31 am
by jessdk
Hi ronverdonk,
Thanks for you ansvser.
I use captcha in my script and when the form is submittet then the user must press a word generatet by Freecap and then press submit again and the form is submittet 100 % (I use FreeCap 1.41 (
http://www.puremango.co.uk/cm_php_captc ... pt_113.php))
and now can the user press back and press a new word generatet by freecap and then submit the same form again

(
Do you have any idea of how I can make this pice of "transaction identifier" it sound as a very good idea.
/Jess
Posted: Tue Aug 22, 2006 5:36 am
by jmut
jessdk wrote:Hi ronverdonk,
Thanks for you ansvser.
I use captcha in my script and when the form is submittet then the user must press a word generatet by Freecap and then press submit again and the form is submittet 100 % (I use FreeCap 1.41 (
http://www.puremango.co.uk/cm_php_captc ... pt_113.php))
and now can the user press back and press a new word generatet by freecap and then submit the same form again

(
Do you have any idea of how I can make this pice of "transaction identifier" it sound as a very good idea.
/Jess
let us assume you insert some stuff.
there are somethings that determine a record to be unique (except for and id).
for example we have these db columns. username,email
but there is also create_date
if you know there should be now two records with same username,email combination .......before insert you make select where username='form_data' and email='form_data'
If you have such record you have double post...if not ...go ahead and insert it.
P.S. ming sql injection. do not use form_data directly in sql query.
Posted: Tue Aug 22, 2006 6:17 am
by ronverdonk
I have the code for the prevention of double submits using a transaction identifier. It comes from the book "PHP Hacks" (O'Reilly). According to the preface I can give you the code.
Because it is quite some code, I better not put it here in the forum, but can send it to your email.
Send a note with the address I should send it to, to my private message box.
Posted: Tue Aug 22, 2006 6:23 am
by jmut
ronverdonk wrote:I have the code for the prevention of double submits using a transaction identifier. It comes from the book "PHP Hacks" (O'Reilly). According to the preface I can give you the code.
Because it is quite some code, I better not put it here in the forum, but can send it to your email.
Send a note with the address I should send it to, to my private message box.
on which page is this?
Posted: Tue Aug 22, 2006 6:28 am
by ronverdonk
Hack no. 55 (page 230).
Posted: Tue Aug 22, 2006 6:32 am
by ronverdonk
I also found an entry at the Dutch PHP resource
http://www.scriptsearch.com/cgi-bin/jump.cgi?ID=1796Code: Select all
<?php
function prevent_multi_submit($type = "post", $excl = "validator") {
$string = "";
foreach ($_POST as $key => $val) {
// this test is new in version 1.01 to exclude a single variable
if ($key != $excl) {
$string .= $val;
}
}
if (isset($_SESSION['last'])) {
if ($_SESSION['last'] === md5($string)) {
return false;
} else {
$_SESSION['last'] = md5($string);
return true;
}
} else {
$_SESSION['last'] = md5($string);
return true;
}
}
/* example of use:
if (isset($_POST)) {
if ($_POST['field'] != "" && strlen < 25) { // place here the form validation and other controls
if (prevent_multi_submit()) { // use the function before you call the database
mysql_query("INSERT INTO tabel..."); // or send a mail like...
mail($mailto, $sub, $body);
} else {
echo "The form is already processed";
}
} else {
// your error about invalid fiels
}
} */
?>
[/url]
Thanks a lot
Posted: Sun Aug 27, 2006 1:57 pm
by jessdk
Hi all,
Thanks a lot for you nice help I'm very glad for your information and I will use it all for my project.
Best regards
Jess