homepage Welcome to WebmasterWorld Guest from 54.196.159.11
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
display if statement if back button hit
helenp




msg:4549618
 11:13 pm on Feb 27, 2013 (gmt 0)

Hi,
Not sure how to resolve this problem.
I use paypal to charge for bookings,
so when the bookingform is filt in, the form submits to a verify page, wich says: dont hit the backbutton....
and of course everybody does not read.
On this page, first a mysql query check its still available as could have been booked while the form was being filt in, then booking is inserted in the the database and last there is an automatic redirection to paypal to pay for the booking.
If the backbutton is being hit in order to go back to form and change some information and then the form is submitted again,
well the booking has already been inserted when form was submitted first time, so a message is displayed saying its not avaiable for those dates, wich can be confusing.

After 30-45 minutes if no payment were done the booking will be deleted.

So I was thinking is there a way to do 2 checkings with diferent messages,
one when page was first submitted to check it still availabe (this I already have) with message, sorry its not available anymore etc.,
and another one that displays a diferent message if its not available due to the backbutton being hit.

Hope I explained myself.

 

swa66




msg:4549749
 7:55 am on Feb 28, 2013 (gmt 0)

Track the session and the form itself.

Session tracking is obvious I guess.
To track the form: add a hidden field with a random value in it.
(the same you do for anti-CSRF)

When they hit back, the form will send back the same hidden randomvalue that was used in the earlier "reservation": you can safely ignore it as it's twice the same browser (nobody else will have the same random value).

helenp




msg:4549768
 9:02 am on Feb 28, 2013 (gmt 0)


Track the session and the form itself.

Thanks,
Not sure I understood this,
I donīt use sessions.
When the persons leave my site and enter paypals isnīt the session lost?

swa66




msg:4549775
 9:25 am on Feb 28, 2013 (gmt 0)

When the persons leave my site and enter paypals isnīt the session lost?

Nope.

A session is essentially a cookie in the browser that's matched on the server side with information. As long as the client keeps the cookie and the server keeps its information, the session remain valid even if there are visits to other websites in between (HTTP being stateless...: there's not even a way to know they did that)

I'd suggest to take the time to understand sessions in full. They can be of great benefit to you when you do transactions that span more than one page hit.

Ref: [php.net...]

The philosophy I thried to explain above is
- to use the session to keep track of things like users being logged in or not, from the time the enter till they log out. (if they log in and out, from the first hit otherwise.
- to use a hidden field with a server side generated random value in it in sensitive forms.

If you then get on form submission that
- it's the same session (i.e. the same browser - cookie based)
AND
- it's the same form (due to the same random value being returned)
THEN it's relatively safe to assume the user went "back"

Whenever you accept a submission, ready for payment, you also keep track of the random value in the submission - to check for resubmissions ...

You also have to take care that they might go even further back and get a new form as well - but then it quickly become a matter of adding more state in the sessions.

helenp




msg:4549779
 9:43 am on Feb 28, 2013 (gmt 0)

You also have to take care that they might go even further back and get a new form as well - but then it quickly become a matter of adding more state in the sessions.


They dont log in so it would have to be a hidden value,
dont think that if they get another form would be a problem as the message if backbutton hit would only apply if the property is already booked, and the message would only appear on the bookingverification page.

Not fancy of using sessions, suppose there arent any other way.
I have sessions in the intranet, so I now that point, but not how to store and do the random value.
Thanks

helenp




msg:4549790
 11:01 am on Feb 28, 2013 (gmt 0)

What I am thinking,
if they hit the backbutton,
instead of displaying a message saying its been blocked for x minutes, please come back later.

I could store the id of the booking and if backbutton is hit then I could delete the booking, so they can go back and if they want to change any information in the bookingform.
As the id is autoincrease I will not have any problems if they go to another form.
Then is the question, when to expire session, or maybe better to kill it.

swa66




msg:4549833
 12:37 pm on Feb 28, 2013 (gmt 0)

Ok,

Every time you generate the form (I suppose you do that in php),
generate inside the form a html line that says
<input type="hidden" value="$random" />

you need to generate the random string too ...
to generate it you could use something like:
$chars = 'ABCDEFGHIJKLMOPQRSTUVXWYZ0123456789';
$len = strlen($chars)-1;
$random='';
for($x=1;$x<=10;$x++){
$roll = rand(0,$len);
$random .= substr($chars,$roll,1);
}


When you process the from

- where you check if it's "free",
- if it fails, check if the random value you stored is the same as the one you got this time.
- if it is, it's a resubmittal of the form
- if it's "free":
- store the random value in your database

That's it based on your explanations.

But I think that creating a session, and hence recognizing them after paypal hands you back the visitor would make a lot of sense too.

helenp




msg:4549838
 1:13 pm on Feb 28, 2013 (gmt 0)

Every time you generate the form (I suppose you do that in php),
generate inside the form a html line that says
<input type="hidden" value="$random" />


Thanks a lot,
No I dont generate the form, its a page with a form that they get to after checking availability etc with database and php.

Yes you are correct, its good to recognize them after payment also,
what I do is to us ipn and I update database as paid, and I run a chronjob that checks every 15 minutes if some booking has statement unpaid for more than 30 minutes.
What happens when they cancel the payment they goes to my cancelpage without being recognized, and the cron job deletes the booking.
As I said before, if I store the id of the booking I can delete the booking immediately if they come to cancelpage or if they clicks on hitback.
So I would store in the session the id of the booking, and the random value also, but one would be enough I think.

Hmm
on verification page (page between form and paypal):

if submit form (or as you said, if free {create session then insert booking in database and redirect to paypal for payment}
else {delete booking and kill session.}
then if they click back to form the form is there to modify and book again if they wish.

However if the click backs are very quick, I suppose there is time to delete the booking and kill session.

helenp




msg:4549839
 1:28 pm on Feb 28, 2013 (gmt 0)

hmm,
could maybe be a problem,
I dont have any shopping cart as is imposible to do 2 bookings at the same time.
So if somebody wants to book 2 or more properties then they will have several sessions.
I could kill the session when they como to the checkout page or cancelpage, but many just close payapals window without going to my checkpage.
Can one have more than one session,
or maybe there is a way to kill previous session if any?

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved