Self Submitting Form - Preventing resubmit

[fmpros]

Hi Folks,

 

I'm working on a PHP project that is basically a timed quiz.  I'm using one self submitting form to process all questions for a given quiz, one question at a time.  Each question is essentially an essay and is displayed/timed one at a time.  Everything is working great however, the back button allows users to resubmit a question.  My attempts at preventing this have been unsuccessful.  Man, any help would be so appreciated.  I've got a client breathing down my neck. 

 

 

Here is the code:

 

<?php
if(!session_id()) session_start();
require_once('include/db.inc.php');
require_once('include/auth.php');



if($_GET['new'] == 'true'){ // A

$appDefRecID = '26'; //Static Value



$appDefRecord = $uuDB->getRecordById('php_appdefinition', 26); 

$test = $_GET['id'];

$appDefID = $appDefRecord->getField('__kp_AppDefinitionID');



$title = $appDefRecord->getField('Title');


$description = html_entity_decode(nl2br($appDefRecord->getField('Description_css')));
$instructions = html_entity_decode(nl2br($appDefRecord->getField('Instructions_css')));



$newAppCmd = $uuDB->newAddCommand('php_application');
$newAppCmd->setField('_kf_AppDefinitionID',$appDefID);
$newAppCmd->setField('_kf_UserID',$_SESSION['userid']);

$newApp = $newAppCmd->execute();
$newAppRec = current($newApp->getRecords());
$appRecID = $newAppRec->getRecordId();
$appID = $newAppRec->getField('__kp_ApplicationID');
$newPerformScript = $uuDB->newPerformScriptCommand('php_application', 'php_createApp', $appID);
$scriptResult = $newPerformScript->execute();
$appRecord = $uuDB->getRecordById('php_application', $appRecID);
$appQs = $appRecord->getRelatedSet('PHP_FieldValue');
$_SESSION['total'] =count($appQs) ;
$_SESSION['appRecID'] = $appRecID;
$_SESSION['count'] = 0;
$_SESSION['valueRecID'] = $appQs[$_SESSION['count']]->getField('z_RecID');
	$_SESSION['vRecID'] = array();
	$counter = 0;
	foreach($appQs as $appQ ) {
	$_SESSION['vRecID'][$counter] = $appQ->getRecordId();
	$counter = $counter + 1;
	}
	$qRec = $uuDB->getRecordById('php_fieldvalue', $_SESSION['vRecID'][0]);
$q = $qRec->getField('FieldLabel');
$javaVar1 = $qRec->getField('FieldTime');
$constant = 1000;
$seconds = 60;
$javaVar2 = $javaVar1 * $seconds * $constant ;
}else{ 



$_SESSION['count']++;
$counter =  $_SESSION['count'];
if($_SESSION['count'] == $_SESSION['total']){
header('Location: confirmation.php');
	exit();	
}
if (empty($_SESSION['vRecID'][$counter])) {
    header('Location: error.php');
	exit();	
}
$rec = $uuDB->getRecordById('php_fieldvalue', $_SESSION['vRecID'][$counter-1]);
$sub = $rec->getField('SubmitCheck');
	if ($rec->getField('SubmitCheck')) {
    header('Location: error.php');
	exit();	
}
$qRec = $uuDB->getRecordById('php_fieldvalue', $_SESSION['vRecID'][$counter]);
$q = $qRec->getField('FieldLabel');
$javaVar1 = $qRec->getField('FieldTime');
$constant = 1000;
$seconds = 60;

$javaVar2 = $javaVar1 * $seconds * $constant ;
$_SESSION['currentAppQid'] = $_SESSION['vRecID'][$counter];

$edit = $uuDB->newEditCommand('php_fieldvalue', $_SESSION['vRecID'][$counter-1] );


$value = $_POST['answer'];
$edit->setField('Value', $value );
$edit->setField('SubmitCheck', $_POST['submitCheck']);
$edit->execute();



}




?>

[ignace]

http://en.wikipedia.org/wiki/Post/Redirect/Get

[Psycho]

OK, I understand this problem very well, but find that wikipedia entry confusing.

 

Quite simply, after you have processed the POST/GET data, simply redirect the user to a "success" page (e.g. Thank you for your submission") using "header('Location: success.php');". When the user is redirected to that page, all POST/GET data is lost. So, if the user refreshes the page they will just get a refresh of that page, not the processing page.

 

I hope that didn't make it more confusing.

[fmpros]

Thanks for the replies.  What I'm really trying to prevent, is the user bypassing the time limits by going back and resubmitting.  Even if I created a separate processing page with a redirect, couldn't the user eventually get to the form page by pressing back enough times? The refresh is actually not a problem sine the code automatically pushes the user to the next question upon refresh.  Thanks again for the quick replies!

[plutomed]

Could you not use Ajax and change the content of a div.

[Psycho]

Thanks for the replies.  What I'm really trying to prevent, is the user bypassing the time limits by going back and resubmitting.  Even if I created a separate processing page with a redirect, couldn't the user eventually get to the form page by pressing back enough times? The refresh is actually not a problem sine the code automatically pushes the user to the next question upon refresh.  Thanks again for the quick replies!

 

Well, you will need to identify the user in some manner. If this is a system where the user logs in then you will want to store a record in the database that includes the user ID and last submission time. Then whenever a submission is made you will need to check that table to see if enough time has elapsed since the last submission time to allow the new submissions.

 

If this is not a system with known users that log in (i.e. anyone can access the page) then you have some decisions to make. Because it all depends on how fool-proof this needs to be. You can use a cookie to store the last submission time, assuming the user has cookies enabled. This allows the submission to be tracked on a machine by machine basis. But, if you are worried about malicious user's they can disable cookies and/or delete them on each submission.

 

If you don't want to use cookies, you could store a last submission in the database by IP address. BUt, that has drawbacks as well. Users can change/spoof their IP address and it will also cause problems for users that are behind a NAT and are using the same external IP address.