Matthew1980
msg:4131934 | 10:36 am on May 13, 2010 (gmt 0) |
Hi there Marked,
HTML code:-
<form method="POST" action="">
<input type="submit" value="Submit" name="submit"/>
</form>
PHP code:-
<?php
if(isset($_POST['submit']) && ($_POST['submit'] == "Submit"))
{
execute some code when the form is submitted
}
This is what I use, and I haven't had a 'double submit' yet. Ie check the value of the key, then process.
Changing $_POST to $_GET is only good if you create the vars and pass them in the URL, $_POST is from the form submitted data.
I suppose there is some fancy js out there that would disable the submit button when it is actioned, but I have never tried this method.
Hope this helps..
Cheers,
MRb
|
londrum
msg:4131936 | 10:50 am on May 13, 2010 (gmt 0) |
another easy way is just to put a short-lived cookie on their system when they submit (just a couple of minutes will probably do)
if you check for the existance of that cookie everytime someone new submits, then you will know whether to throw an error.
|
webizarre
msg:4131941 | 11:23 am on May 13, 2010 (gmt 0) |
You can redirect the user to other page after submitting the form once. Here is the code you can use in mail configuration:
$Redirect_URL="http://www...";
This can be used to avoid second hits.
|
jatar_k
msg:4132105 | 4:50 pm on May 13, 2010 (gmt 0) |
scripts shouldn't post to themselves
post to a processing script that has no output
on error reinclude the form
on success redirect to a success page
|
Matthew1980
msg:4132534 | 7:51 am on May 14, 2010 (gmt 0) |
Hi there jatar_k,
I should have been clear about that really, posting to a dedicated php file or class enables you to handle things better, but you can still do error checking and blank submissions from posting to 'itself'.
I think though setting in place a dedicated form handler is just better practise, from there you can handle all exceptions. Just my opinion there, there may be better options that I haven't encountered yet ;)
Cheers,
MRb
|
mooger35
msg:4132865 | 6:37 pm on May 14, 2010 (gmt 0) |
What I've been using recently is a jquery pop up window that uses ajax to post the form to a processing page and then returns either "success" or an error message (or messages). If success a notification of the fact pops up and then the jquery window gets automatically closed half a second later. If error message(s) then notification of what went wrong occurs.
Any reason this way of doing things would be a horrible idea?
|
Marked
msg:4133129 | 9:57 am on May 15, 2010 (gmt 0) |
Thanks for all your replies :)
For my script there is no need for an error message system, because I use javascript to ensure the form is filled out correctly.
Ok, what I did was create this function:
function doRedirect($url)
{
header('Location: '.$url);
}
And then:
if(isset($_POST['hidden_field']))
{
//run code
doRedirect($_SERVER['REQUEST_URI']);
exit();
}
It works pretty well. However does not work when the user tries to go back. At the moment though I'm pretty satsified with this system. :)
|
brotherhood of LAN
msg:4133130 | 10:02 am on May 15, 2010 (gmt 0) |
| there is no need for an error message system, because I use javascript |
|
It would be recommended to also validate the form server-side as well as client-side.
Client-side validation saves the hassle of page reloads, but ultimately server-side validation ensures that the data is truly valid.
|
Matthew1980
msg:4133136 | 10:37 am on May 15, 2010 (gmt 0) |
Hi there marked,
To add onto brotherhoodoflans point, not all people have js enabled, so for user/cross platform compatibility it would be preferable to use the php validation as its server side and not client side.
Cheers,
MRb
|
rocknbil
msg:4133219 | 4:57 pm on May 15, 2010 (gmt 0) |
| not all people have js enabled |
|
Two cents on that . . . in cases of user input, it's not so much your users (which is important on it's own) but that those who would abuse your site do so from command line apps without even touching the form. They completely circumnavigate the form with a post directly to your script. In such cases they can inject data you wouldn't expect.
|
Matthew1980
msg:4133224 | 5:07 pm on May 15, 2010 (gmt 0) |
Hi there Marked,
And then:
if(isset($_POST['hidden_field']) && ($_POST['hidden_field'] == "hidden_field"))
{
//run code
doRedirect($_SERVER['REQUEST_URI']);
exit();
}
|
|
Ok, so your checking the key, at least check the value of the key to see if it is what it should be, after all it could be set, but with a completely different value from what you assigned to it, kinda like rocknbil suggests :)
I find that checking both value and key is better as you can then direct the script accordingly, and as jatar_k says, keep the files seperate, or direct to a dedicated file so that you can then show the user something else after they have posted, or redirect back to the same page if an error arises ie: blank field; illegal data etc, etc.
Hope this helps ;)
Cheers,
MRb
|
Readie
msg:4133241 | 6:39 pm on May 15, 2010 (gmt 0) |
&& ($_POST['hidden_field'] == "hidden_field") |
|
I'm pretty sure that a string "is equal to" 0 - so the "is identical to" comparison should be used here, to prevent users doing any damage during an injection attempt, or exposing any vulnerabilities:
&& ($_POST['hidden_field'] [b]===[/b] "hidden_field") |
|
Just to be safe :)
|
arvind gupta
msg:4134523 | 6:58 am on May 18, 2010 (gmt 0) |
I generally tend to use a random key to stop multiple form submission. For eaxmple:
<?php
session_start();
// Process form
if(isset($_GET['submit']) && $_GET['key'] == $_SESSION['key'])
{
// Process
echo 'processed';
}
else {
echo 'not prcoessed';
}
?>
<?php
$_SESSION['key'] = mt_rand(1, 1000);
?>
<!-- Form -->
<form action="" method="get">
<input type="hidden" name="key" value="<?php echo $_SESSION['key'] ?>" />
<input type="submit" name="submit" value="Submit" />
</form>
Hope this helps!
|
|
