PHP repeats submissions via token verification form

PHP prevents duplicate submission of forms

2016-11-08 Easy to learn PHP

One of the limitations we cannot ignore when we submit a form is to prevent users from repeating the form, because it is possible for users to repeatedly click the Submit button or the attacker to maliciously commit the data, so we will be in trouble when we post the data, such as modifying or adding data to the database.

So how to avoid the recurrence of this form of the occurrence of the phenomenon? We can start with a lot of aspects, first of all from the front-end constraints. The front-end JavaScript is disabled after the button is clicked, that is, disabled, which simply prevents multiple clicks of the Submit button, but the disadvantage is that if the user disables the JavaScript script it fails. Second, we can do after the submission of redirect page redirection, that is, after the submission to the new page, mainly to avoid F5 repeated submissions, but there are shortcomings. The third is that the database makes a unique index constraint. The four is to do session token verification.

Let's now look at a simple way to use session token to prevent a form from repeating a commit.

We add an input hidden field in the form, that is, type= "hidden", whose value is used to hold the token value, when the page is refreshed, the token value will change, after committing to determine whether the token value is correct, if the token submitted by the foreground does not match the background, is considered a duplicate commit.

<?php

/*

* PHP easy to use token to prevent the form of repeated submissions

*/

Session_Start ();

Header ("Content-type:text/html;charset=utf-8");

function Set_token () {

$_session[' token '] = MD5 (Microtime (true));

}

function Valid_token () {

$return = $_request[' token '] = = = $_session[' token ']? True:false;

Set_token ();

return $return;

}

Generates a token if token is empty

if (!isset ($_session[' token ')) | | $_session[' token ']== ') {

Set_token ();

}

if (Isset ($_post[' web ')) {

if (!valid_token ()) {

echo "token error, please do not repeat the submission!" ";

}else{

Echo ' successfully submitted, Value: '. $_post[' web '];

}

}else{

?>

<form method= "POST" action= "" >

<input type= "hidden" name= "token" value= "<?php echo $_session[' token ']?>" >

<input type= "text" class= "input" name= "Web" value= "www.helloweba.com" >

<input type= "Submit" class= "BTN" value= "Submit"/>

</form>

<?php

}

?>

The above is a simple example of preventing duplicate submissions of forms, for informational purposes only. In the actual project development, the form token will be processed more complex, that is, the token verification we are talking about. Possible processing is: Verify the source domain, that is, the origin, whether the external commit, matching the action to be performed, is to add, modify or delete, and secondly, the most important is to build Token,token can adopt reversible encryption algorithm, as complex as possible, because the plaintext is still unsafe. The specific algorithm for token validation can refer to the major PHP frameworks, such as the thinkphp provides

PHP repeats submissions via token verification form