How Does PHP's Post-Redirect-Get (PRG) Pattern Prevent Data Duplication and CSRF Attacks?

PHP Post-Redirect-Get (PRG) Code Example

When implementing the PRG pattern in PHP, it's crucial to follow the correct steps to ensure protection against page reload and back button issues. Let's explore the basic implementation:

In your code:

1. The form is submitted to a validation script (validate.php).
2. validate.php validates the input and either stores it in the database or generates appropriate error messages.
3. The generated HTML (confirmation page or error page) is stored in a $_SESSION variable.
4. validate.php then redirects the user to a submitted.php or invalid_input.php page using header('Location: <as appropriate>').
5. The target page displays the HTML stored in the $_SESSION variable.

This approach provides a simple and effective solution against CSRF attacks and prevents unintended resubmissions or data duplication.

Simplest PRG Scenario

For a simplified PRG implementation, you can use the following code snippet:

if ($_POST) {
    // Validate the input
    
    if (/* input is OK */) {
        // Execute code (database updates, etc.)
        
        // Redirect to the same page
        header("Location: {$_SERVER['REQUEST_URI']}", true, 303);
        exit();
    }
}

Remember to use REQUEST_URI instead of PHP_SELF for compatibility with CMS systems and frameworks where PHP_SELF may redirect to a different script (e.g., index.php).

The above is the detailed content of How Does PHP's Post-Redirect-Get (PRG) Pattern Prevent Data Duplication and CSRF Attacks?. For more information, please follow other related articles on the PHP Chinese website!