[nycphp-talk] html php form problem
Dan Cech
dcech at phpwerx.net
Thu Feb 24 15:12:34 EST 2005
One other solution is to embed a one-time token in each form you want to
protect. Below is a simplified example:
if (!isset($_SESSION['tokens'])) {
$_SESSION['tokens'] = array();
}
if (isset($_POST['action'])) {
if (array_key_exists($_POST['token'],$_SESSION['tokens'])) {
// do something here
// unset token so it can't be used again
unset($_SESSION['tokens'][$_POST['token']]);
} else {
// form was submitted twice
}
}
$token = md5(uniqid());
$_SESSION['tokens'][$token] = time();
<input type="hidden" name="token" value="<?php print
htmlentities($token);?>" />
As you may have noticed the code above also stored the issue time for
each token, so you can also prevent users submitting 'stale' forms.
There are also definite merits to using a system which redirects users
to result pages after they submit a form, especially in terms of making
the 'back' button work in an intuitive way.
Dan
Daniel Convissor wrote:
> On Thu, Feb 24, 2005 at 04:54:34PM -0300, Henry Ponce wrote:
>
>>I've been searching for the solution to my problem. I do not want a
>>form to be
>>resubmitted when i refresh a page.
>
>
> That is not possible as far as I know. To work around it, process the
> form in one script and then forward to another page once processing is
> done:
>
> form.php
> <form action="process.php">
>
> process.php
> <?php
> // validate and save info
> if (!$errors) {
> header('Location: http://host/thanks.php');
> }
>
> thanks.php
> <h1>Thanks for your submission</h1>
>
> --Dan
>
More information about the talk
mailing list