You're wonderful. Thank you very much.



On Thu, 3 Feb 2005 13:02:14 -0800 (PST), Richard Lynch <[EMAIL PROTECTED]> wrote:

Ricky Morley wrote:
Richard Lynch <mailto:[EMAIL PROTECTED]>
    on Thursday, February 03, 2005 11:26 AM said:

A simple thing to do is to put an md5 hash into the POST data, then
only do the insert if that md5 hash isn't already "used" when they
hit refresh.

Thank you for your responses. One question: If I were to use the md5 hash
method, what would be the best way to store used hashes? In a database? In
a temporary file kinda thing? Thanks again.

In a database with a datetime field.

Clear out anything older than a day or whatever in a cron job.

For a super busy site, you'd want to clear them out more often.

Or, to simplify matters, if you already have sessions, then do this:

<?php
  session_start();

//Check their FORM freshness, and only process fresh input, not re-loaded:
$fresh = $_POST['fresh'];
$used = isset($_SESSION['used']) ? $_SESSION['used'] : array();
if (isset($used[$fresh])){
echo "Ignoring re-posted data: $fresh<br />\n";
}
else{
echo "INSERT INTO whatever (duplicate) VALUES ('$_POST[duplicate]')";
$used[$fresh] = TRUE;
$_SESSION['used'] = $used;
}


?>
<form action="<?php echo $_SERVER['PHP_SELF']?>" method="post">
  <input type="hidden" name="fresh" value="[<?php echo md5(uniqid())?>]">
  <input name="duplicate"><br />
  <input type="submit" value="Duplicate?">
</form>

Make sure any test for a session time-out occurs BEFORE this test for
'fresh' data -- so they can't wait for the session to time-out, and then
re-load, and get their duplicate "in" that way.

You could put most of the code to check for freshness in an include file,
and use it on a zillion forms.

Just put the INPUT HIDDEN with NAME='fresh' and an MD5 in every form and
be sure to: include 'freshness.inc'; before processing.

Or put it in a function you define in your globals.inc (or whatever gets
loaded every page).

It's simple and browser-independent, so it doesn't matter if they hit back
or not or re-load or their browser sends or doesn't send the signal needed
for ignore_user_abort to work or...



-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php



Reply via email to