Posted by Ricky Morley on 10/04/52 11:07

You're wonderful. Thank you very much.



On Thu, 3 Feb 2005 13:02:14 -0800 (PST), Richard Lynch <ceo@l-i-e.com>
wrote:

> Ricky Morley wrote:
>>> Richard Lynch <mailto:ceo@l-i-e.com>
>>> on Thursday, February 03, 2005 11:26 AM said:
>>>
>>>> A simple thing to do is to put an md5 hash into the POST data, then
>>>> only do the insert if that md5 hash isn't already "used" when they
>>>> hit refresh.
>>
>> Thank you for your responses. One question: If I were to use the md5
>> hash
>> method, what would be the best way to store used hashes? In a database?
>> In
>> a temporary file kinda thing? Thanks again.
>
> In a database with a datetime field.
>
> Clear out anything older than a day or whatever in a cron job.
>
> For a super busy site, you'd want to clear them out more often.
>
> Or, to simplify matters, if you already have sessions, then do this:
>
> <?php
> session_start();
>
> //Check their FORM freshness, and only process fresh input, not
> re-loaded:
> $fresh = $_POST['fresh'];
> $used = isset($_SESSION['used']) ? $_SESSION['used'] : array();
> if (isset($used[$fresh])){
> echo "Ignoring re-posted data: $fresh<br />\n";
> }
> else{
> echo "INSERT INTO whatever (duplicate) VALUES ('$_POST[duplicate]')";
> $used[$fresh] = TRUE;
> $_SESSION['used'] = $used;
> }
>
> ?>
> <form action="<?php echo $_SERVER['PHP_SELF']?>" method="post">
> <input type="hidden" name="fresh" value="[<?php echo md5(uniqid())?>]">
> <input name="duplicate"><br />
> <input type="submit" value="Duplicate?">
> </form>
>
> Make sure any test for a session time-out occurs BEFORE this test for
> 'fresh' data -- so they can't wait for the session to time-out, and then
> re-load, and get their duplicate "in" that way.
>
> You could put most of the code to check for freshness in an include file,
> and use it on a zillion forms.
>
> Just put the INPUT HIDDEN with NAME='fresh' and an MD5 in every form and
> be sure to: include 'freshness.inc'; before processing.
>
> Or put it in a function you define in your globals.inc (or whatever gets
> loaded every page).
>
> It's simple and browser-independent, so it doesn't matter if they hit
> back
> or not or re-load or their browser sends or doesn't send the signal
> needed
> for ignore_user_abort to work or...
>

• Next in thread: RE: [PHP] Clear POST variables on page refresh
• Prev in thread: Re: [PHP] Clear POST variables on page refresh
• Next in forum: Re: [PHP] PHP Memory limit exceeded
• Prev in forum: Re: [PHP] I need to create a search that will search partial filesnames of images and display the images. Basically, I have a folder on theinternet that has security camera images dumped into it with a file namelike this:
• Thread view: Clear POST variables on page refresh

[Reply to this message]