How to properly prevent form resubmission?

S

Sekira2014-05-22 20:20:00

PHP

Sekira, 2014-05-22 20:20:00

For example, writing a message by a user: after filling out the form and pressing the Submit button, a page appears where the message Sent is written, and below is a list of all messages. If you refresh the page in Opera, the message will be sent again, if in Chrome, it will ask whether to Send the form again, and you need to refresh the page with messages without asking anything.
- If you do it with a hidden field with a random value, and check this value, then resending will still be asked, although it will not be added already.
- If, after adding a message to the database, redirect to a page like index.php?message=Message%20successfully%20 added! , then this message will appear after refreshing the page.
+ Therefore, I want to do this: the site uses its own sessions in the MySQL database, but in order not to strain the database, I want to use the built-in php sessions just for this case, namely: in the place where the successful sending message is displayed, that is, after the physical adding information to the database, start the session, add a variable to it with the message "Message added successfully!", then redirect to the same page where all messages are displayed. And in the code of the page itself, start the session, and if there is a variable with a message in it, then display it and delete the variable.
+ Better yet, make an array of messages and display them all, but if suddenly several tabs are open, then there is a very small chance that something will happen at the same time and the message will be displayed in the wrong tab, so it's probably worth making some random variable name , and pass this GET name as a parameter to the redirect url, and already display and delete the variable using it. Then everything seems to be fine.
How do you like this option, and how to do it in general, maybe still a separate page, as in many forums "Message added, now you will be redirected"?
Thank you all in advance for your replies!

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

A

Alexander Kubintsev, 2014-05-23
@Sekira

I would not store an array of messages in the session, it is generally a bad practice to store anything in it, except for a couple of identifiers.
To guarantee against duplication, there is a trick:
- a new message identifier is generated on the server
- the server sends this identifier to the client
- the client fills in the message and sends it to the server with the same identifier
- the server, upon receipt, matches the message with the identifier (i.e. fills in the corresponding field in the database if it was empty)
Let's now consider the scenarios when trying to send a message from the client:
- the message identifier is set:
- there is already a message with the same id on the server => failure
-- there is no such id on the server => failure (perhaps an attempt to find a vulnerability)
- identifier is not set => failure

D

Dmitry Korshunov, 2014-05-22
@dkorshunov55

I didn’t read the whole text of the question, laziness :)
This is how I do it, after reading and processing the fields (received data)

$_POST = NULL;
header("Location: " . Url::$url);
exit();

data is sent by POST
Url::$url - contains a link to the current page.

R

Rsa97, 2014-05-22
@Rsa97

Send data with ajax and let them refresh the page if necessary.

C

coderxOne, 2017-02-24
@coderxOne

In short, everything is simple ..
after processing the data, save the array in the session and redirect to another function, check for the presence of a session in another function and display the array. That's all, now when you go to another page there will be no request to reload)).