PHP prevents repeated form submission and form expiration processing

When the user submits the form, the same record may be repeatedly inserted into the database due to network speed or the web page is maliciously refreshed. This is a relatively difficult problem. We can start from the client and server side together to try to avoid repeated submission of the same form.

1. Using client-side scripts

When it comes to client-side scripts, JavaScript is often used for general input validation. In the following example, we use it to handle the repeated submission of the form, please see the code below:

When the user clicks the "Submit" button, the button will become gray and unavailable, as shown in Figure 5-6.

In the above example, the OnClick event is used to detect the user's submission status. If the "Submit" button is clicked, the button is immediately set to an invalid state, and the user cannot click the button to submit again.

There is another method, which also uses the function of JavaScript, but uses the OnSubmit() method. If the form has been submitted once, a dialog box will pop up immediately. The code is as follows:

In the above example, if the user has clicked the "Submit" button, the script will automatically record the current status and will The submitcount variable increases by 1. When the user attempts to submit again, the script determines that the submitcount variable value is non-zero and prompts the user that the form has been submitted, thereby avoiding repeated submission of the form.

2. Use Cookie processing

Use Cookie to record the status of form submission. Based on its status, you can check whether the form has been submitted. Please see the following code:

if(isset($_POST['go'] )){

setcookie("tempcookie","",time()+30);

header("Location:".$_SERVER[PHP_SELF]);

exit();

}

if(isset($_COOKIE["tempcookie"])){

setcookie("tempcookie","",0);

echo "You have already submitted the form";

}

?>

If the client disables cookies, this method will have no effect, please note this. For a detailed introduction to Cookies, please refer to Chapter 10 "PHP Session Management".

3. Use Session Processing

Using PHP's Session function can also avoid repeated submission of forms. Session is saved on the server side. The Session variable can be changed while PHP is running. The next time you access this variable, you will get the newly assigned value. Therefore, you can use a Session variable to record the value submitted by the form. If it does not match, it is considered The user is resubmitting, please see the following code:

session_start();

//Generate random numbers based on the current SESSION

$code = mt_rand(0,1000000);

$ _SESSION['code'] = $code;

?>

Pass random numbers as hidden values ​​on the page form, the code is as follows:

”>

The PHP code on the receiving page is as follows:

session_start();

if(isset($_POST['originator '])) {

if($_POST['originator'] == $_SESSION['code']){

// Process the statement of the form, omit

}else{

echo 'Please do not refresh This page or submit the form again! ’;

}

}

?>

4. Use the header function to redirect

In addition to the above method, there is a simpler method, that is, when the user submits the form, the server side processes it and immediately redirects to other pages. The code is as follows.

if (isset($_POST['action']) && $_POST['action'] == 'submitted') {

//Process data, such as after inserting data, immediately redirect to other pages

header( 'location:submits_success.php');

}

In this way, even if the user uses the refresh key, it will not cause repeated submission of the form, because it has been redirected to a new page, and this page script has ignored any submissions Data.

5. Handling of form expiration

During the development process, it often happens that a form error occurs and all the information filled in when returning to the page is lost. In order to support page bounce, this can be achieved through the following two methods.

5.1 Use the header header to set the cache control header Cache-control.

header(‘Cache-control: private, must-revalidate’); //Support page bounce

5.2 Use the session_cache_limiter method.

session_cache_limiter('private, must-revalidate'); //To be written before the session_start method

The following code snippet can prevent the user from filling in the form and clicking the "Submit" button to return when they just clicked on the form The filled in content will not be cleared:

session_cache_limiter('nocache');

session_cache_limiter('private');

session_cache_limiter('public');

session_start();

//The following is the form content, so that when the user returns to the form, the filled-in content will not be cleared.

Just paste this code at the top of the script to be applied.

Cache-Control message header field description

Cache-Control specifies the caching mechanism followed by requests and responses. Setting Cache-Control in a request message or response message does not modify the caching process during the processing of another message.

The cache instructions during the request include no-cache, no-store, max-age, max-stale, min-fresh and only-if-cached. The instructions in the response message include public, private, no-cache, no-store, no-transform, must-revalidate, proxy-revalidate and max-age. The meaning of the instructions in each message is as shown in the following table:

Cache directive

says

public

Indicates that the response can be cached by any cache

private

Indicates that for a single user the entire or Partial response messages cannot be processed by the shared cache. This allows the server to only describe when a user's partial response message is invalid for other users' requests

no-cache

Indicates that the request or response message cannot be cached

no-store

is used to prevent important information was released unintentionally. Sending in the request message will cause both the request and response messages to use caching

max-age

Indicates that the client can receive responses with a lifetime no longer than the specified time in seconds

min-fresh

Indicates that the client can receive responses with a response time less than the current time plus the specified time

max-stale

Indicates that the client can receive response messages that exceed the timeout period. If the value of the max-stale message is specified, the client can receive response messages that exceed the specified value of the timeout period

For an introduction to Session and Cookie, please refer to Chapter 10 "PHP Session Management" for details.

Techniques for judging form actions

Forms can allocate actions that should be processed through the same program. There are different logics in the form. How to judge the content of the button pressed by the user is just a small problem.

In fact, you only need to know the name of the submit button. When the form is submitted, only the submit type button pressed will be sent to the form array, so you only need to judge the value of the button to know how to use it. Which button does the user press? Take the following form as an example:

When the user presses the "a" button btn=a, press " b" button, then btn=b.

You can also judge by the name of the submit button, please see the following code:

In this way, as long as there are parameters in POST/GET If there is a or b, you can know which button is pressed.

print_r($_POST);

?>