On Thu, Feb 16, 2006 at 09:34:12PM -0600, Mike Tuller wrote:
> ...
>
> This is how I learned in some book somewhere. Is everyone saying that
> I need to either use sessions, or redirect so that when someone
> refreshes insert.php, it doesn't submit the information again? To me
> it seems that there has to be a more efficient way. I don't
> understand the token thing that some are suggesting.
Since web requests are stateless you need to protect yourself
in some ways, this is a method to prevent those duplicate entries
in the db when someone refreshes the browser and reposts the data.
The only difference with richards code with what I have is that he stores it
differently than I generally do. The concept is as follows:
form.php:
<?php
// generate a token
$my_token = md5(uniqid('thisformid', true));
// store the token in a place that can be retrieved
// on the next place, richard uses a db, i usually just use the
// _SESSION where it is stored isn't relevent
$_SESSION['tokens'][$my_token] = time(); // use time() so we can expire
// put the token in the form to be passed to the next page
?>
<form>
<input type="hidden" name="form_token" value="<?php echo $my_token?>">
</form>
action.php:
<?php
// grab the token in the form:
$token = $_POST['form_token'];
// test it against what we stored in the previous page.
if (isset($_SESSION['tokens'][$token]) ) {
// forget the token
unset($_SESSION['tokens'][$token]); // very important
// do stuff..
} else {
// form submitted twice or they tried to access this page
// directly.. a no no.
}
Curt.
--
cat .signature: No such file or directory
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
