Let's say you have a "Buy" button that posts a form to a script that
inserts or increments the quantity of a record in a shopping cart
table. So you click "Buy" and then "Checkout". Now if you hit the Back
button it asks the user if they would like to repost the form. If you
click "Ok" the db script runs again and now they have two items in the
cart. Not good.
It seems to me this is a fundamental model view controller kind of
problem. There's no seperation between the view and the controller.
What I'm thinking is that I need to give each form a unique token. When
the form is submitted a new token is generate. So if at any time a form
is reposted the token will be invalid and action regarding the form
contents can be igored.
Specifically I'm thinking of somthing like:
<?php
function token_generate() {
return $_SESSION['state_token'] = rand(10000,99999);
}
function token_matches() {
return isset($_POST['t']) && $_SESSION['state_token'] == $_POST['t'];
}
if (token_matches()) {
// insert or update cart contents
}
?>
<h1>Shopping Cart</h1>
<form action="cart.php" method="post">
<?php
echo "<input name=\"t\" type=\"hidden\" value=\"" . token_generate() . "\"/>\n";
?>
// display cart contents
I don't get to do much web programming so I'm wondering what the PHP
crowd thinks of this method. Can anyone improve on this? Is it fatally
flawed? How would you solve this problem in general?
Thanks,
Mike
--
Michael B Allen
PHP Extension for SSO w/ Windows Group Authorization
http://www.ioplex.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
