Michael B Allen wrote:
> Let's say you have a "Buy" button that posts a form to a script that
> inserts or increments the quantity of a record in a shopping cart
> table. So you click "Buy" and then "Checkout". Now if you hit the Back
> button it asks the user if they would like to repost the form. If you
> click "Ok" the db script runs again and now they have two items in the
> cart. Not good.
>
> It seems to me this is a fundamental model view controller kind of
> problem. There's no seperation between the view and the controller.
>
> What I'm thinking is that I need to give each form a unique token. When
> the form is submitted a new token is generate. So if at any time a form
> is reposted the token will be invalid and action regarding the form
> contents can be igored.
>
> Specifically I'm thinking of somthing like:
>
> <?php
> function token_generate() {
> return $_SESSION['state_token'] = rand(10000,99999);
> }
> function token_matches() {
> return isset($_POST['t']) && $_SESSION['state_token'] == $_POST['t'];
> }
> if (token_matches()) {
> // insert or update cart contents
> }
> ?>
>
> <h1>Shopping Cart</h1>
>
> <form action="cart.php" method="post">
> <?php
> echo "<input name=\"t\" type=\"hidden\" value=\"" . token_generate() . "\"/>\n";
> ?>
>
> // display cart contents
>
> I don't get to do much web programming so I'm wondering what the PHP
> crowd thinks of this method. Can anyone improve on this? Is it fatally
> flawed? How would you solve this problem in general?
this is pretty much *the* way to tackle this issue. plenty of [minor] variations
of your basic concept have been proposed as a solution to the back button problem
on this list... the most notable difference being increased randomness in the token
and keeping an array of valid tokens (e.g. how many forms will a user request before
post'ing one of them?) and binding a given token to a given form (and/or data input 'type')
>
> Thanks,
> Mike
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
