[snip]
If it's not "wrong" for me to push the "back" button, why are you
breaking it with all your re-directs :-)
[/snip]
I was a bit short in my explanation -- I tend to use the redirect
method so that users *can* use the back button (or refresh). I'm
trying to *not* break it. :)
That said, the unique token method is very interesting, I'll
definitely check it out. But I'm curious, if you check for an
existing token and do find one (so the user has possibly refreshed the
browser), don't you have to program a particular way to handle it? And
might that handling method be different for each type of action being
taken? Does this run the risk of overcomplicating the code as well?
Then again, being forced to consider and handle *exceptions* is a very
good thing when developing a stable application...
I'll enjoy playing around with these ideas...
John
On 2/17/06, Curt Zirzow <czirzow@xxxxxxxxx> wrote:
> On Thu, Feb 16, 2006 at 09:34:12PM -0600, Mike Tuller wrote:
> > ...
> >
> > This is how I learned in some book somewhere. Is everyone saying that
> > I need to either use sessions, or redirect so that when someone
> > refreshes insert.php, it doesn't submit the information again? To me
> > it seems that there has to be a more efficient way. I don't
> > understand the token thing that some are suggesting.
>
> Since web requests are stateless you need to protect yourself
> in some ways, this is a method to prevent those duplicate entries
> in the db when someone refreshes the browser and reposts the data.
>
> The only difference with richards code with what I have is that he stores it
> differently than I generally do. The concept is as follows:
>
> form.php:
> <?php
>
> // generate a token
> $my_token = md5(uniqid('thisformid', true));
>
> // store the token in a place that can be retrieved
> // on the next place, richard uses a db, i usually just use the
> // _SESSION where it is stored isn't relevent
>
> $_SESSION['tokens'][$my_token] = time(); // use time() so we can expire
>
> // put the token in the form to be passed to the next page
> ?>
> <form>
> <input type="hidden" name="form_token" value="<?php echo $my_token?>">
> </form>
>
>
> action.php:
> <?php
>
> // grab the token in the form:
> $token = $_POST['form_token'];
>
> // test it against what we stored in the previous page.
> if (isset($_SESSION['tokens'][$token]) ) {
>
> // forget the token
> unset($_SESSION['tokens'][$token]); // very important
>
> // do stuff..
>
> } else {
> // form submitted twice or they tried to access this page
> // directly.. a no no.
> }
>
>
> Curt.
> --
> cat .signature: No such file or directory
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
