FUDforum: comp.lang.php » php double form submit prevent

Home » Imported messages » comp.lang.php » php double form submit prevent

Show: Today's Messages :: Polls :: Message Navigator

php double form submit prevent [message #184334]

Tue, 24 December 2013 21:15

pppbbb10
Messages: 4
Registered: December 2013

Karma: 0

Junior Member

I would like to avoid the double form submit or unwanted submit when first time clicking the link to the form which outputs empty data.

The code below seems to prevent double or single empty form or previous form submit but it also prevents to submit the form when expected.

Main parts of the code as below, all parts on the same php file.

<?php
session_start();
$_SESSION['token'] = md5(session_id() . time());
?>

<!DOCTYPE HTML>
....

<form method="post" action="<?php echo $_SERVER['PHP_SELF'] ?>" name="form_submitted">

<input type="hidden" name="token" value="<?php echo $_SESSION['token'] ?>" >

<input type="checkbox" name="catexp[]" value="1">Input1
<input type="checkbox" name="catexp[]" value="2">Input2
<input type="checkbox" name="catexp[]" value="3">Input3

<input type="Submit" name="Submit" >

</form>

<?php

if (isset($_SESSION['token']))
{
if (isset($_POST['token']))
{
if ($_POST['token'] != $_SESSION['token'])
{
// double submit
}
else
{

// FORM PROCESSING HERE

}// else ($_POST['token'] == $_SESSION['token'])

} // if (isset($_POST['token']))

} // if (isset($_SESSION['token']))

?>

How to make the condition go through ?

Thanks

Report message to a moderator

Re: php double form submit prevent [message #184335 is a reply to message #184334]

Tue, 24 December 2013 21:54

Jerry Stuckle
Messages: 2598
Registered: September 2010

Karma: 0

Senior Member

On 12/24/2013 4:15 PM, pppbbb10(at)gmail(dot)com wrote:
> I would like to avoid the double form submit or unwanted submit when first time clicking the link to the form which outputs empty data.
>
> The code below seems to prevent double or single empty form or previous form submit but it also prevents to submit the form when expected.
>
> Main parts of the code as below, all parts on the same php file.
>
> <?php
> session_start();
> $_SESSION['token'] = md5(session_id() . time());
> ?>
>
> <!DOCTYPE HTML>
> ...
>
> <form method="post" action="<?php echo $_SERVER['PHP_SELF'] ?>" name="form_submitted">
>
> <input type="hidden" name="token" value="<?php echo $_SESSION['token'] ?>" >
>
> <input type="checkbox" name="catexp[]" value="1">Input1
> <input type="checkbox" name="catexp[]" value="2">Input2
> <input type="checkbox" name="catexp[]" value="3">Input3
>
> <input type="Submit" name="Submit" >
>
> </form>
>
> <?php
>
> if (isset($_SESSION['token']))
> {
> if (isset($_POST['token']))
> {
> if ($_POST['token'] != $_SESSION['token'])
> {
> // double submit
> }
> else
> {
>
> // FORM PROCESSING HERE
>
>
> }// else ($_POST['token'] == $_SESSION['token'])
>
> } // if (isset($_POST['token']))
>
> } // if (isset($_SESSION['token']))
>
> ?>
>
>
> How to make the condition go through ?
>
> Thanks
>

Your problem is you are setting $_SESSION['token'] on entry to the
script. Since you've included the time(), it will never match the value
in $_POST['token'] unless the user has submitted the form in the same
second it was sent - highly unlikely (in fact, almost impossible
considering network delays, the person on the other end, etc.).

A better way is to redirect the user to another page (i.e. a "thank you"
page after processing the submission with header('Location: ...'); This
will stop them from using the back button (but still won't stop them
from going back in their history).

Remember you have to call header() before ANY output (even your DOCTYPE)
is sent to the browser. Normally this is accomplished by processing the
form before anything is sent to the browser.

You probably could also just not set $_SESSION['token'] until after the
checks are done; it's not something I've tried, however.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================

Report message to a moderator

Re: php double form submit prevent [message #184336 is a reply to message #184334]

Tue, 24 December 2013 22:00

Christoph Michael Bec
Messages: 207
Registered: June 2013

Karma: 0

Senior Member

pppbbb10(at)gmail(dot)com wrote:

> I would like to avoid the double form submit or unwanted submit when
> first time clicking the link to the form which outputs empty data.
>
> The code below seems to prevent double or single empty form or
> previous form submit but it also prevents to submit the form when
> expected.
>
> Main parts of the code as below, all parts on the same php file.
>
> <?php
> session_start();
> $_SESSION['token'] = md5(session_id() . time());
> ?>
>
> [further code snipped]
>
> How to make the condition go through ?

Think about what is happening. :) You're storing a new token as the
first action when the resource is requested -- obviously, any later
comparision with the submitted token will fail. You may deploy another
variable to store the new token till the end of the script, and then
storing it in the session.

The basic algorithm you have used to prevent multiple form submission is
actually a CSRF protection (might be somewhat weak, though) -- if you
don't need it, you may consider implementing the PRG pattern[1], which
might be a better solution of the problem at hand.

[1] <http://en.wikipedia.org/wiki/Post/Redirect/Get>

--
Christoph M. Becker

Report message to a moderator

Previous Topic:	Include gives warning
Next Topic:	FF26 crashes with simple code!

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Sat Apr 05 02:40:46 GMT 2025

Total time taken to generate the page: 0.08924 seconds