When I am making a timed appointment, there is a verification condition in the form that determines whether the current time has reached the set time point. If it has not arrived, it cannot be executed
<?php
ini_set('date.timezone','Asia/Shanghai');
$setTime = date("Y-m-d");
$setTime = strtotime("$setTime 10:30:00");
if(time() < $setTime){
exit("The appointment time has not arrived, please visit later");
}
?>
<form>……</form>According to logic, if the time is not up, the form content cannot be accessed and submitted
But through the plug-in record of the form verification code, I can see that around 10:29:40, there is already a user Completed the verification code verification in the form
When we tested it ourselves, we didn’t know how the user operated
(PS: We used Alibaba Cloud’s drag verification for verification, and each verification has a recorded value. , as shown below)< /span>
Does anyone know where the loopholes in this logic are and how they should be restricted?
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
Is the plug-in record of the verification code on your server? If not, I'm afraid the time is not synchronized.
First, you are prohibiting users from accessing the page. However, when the user submits the form, the access server URL is different, that is, your form URL is index, but the server request path index/save is used to save the data through the form, so the user can directly save the data. Directly post to index/save, and your index/save request logic does not set a time limit, so the data can be inserted into the database