Jump to content

Recommended Posts

Hi Folks,

 

I'm working on a PHP project that is basically a timed quiz.  I'm using one self submitting form to process all questions for a given quiz, one question at a time.  Each question is essentially an essay and is displayed/timed one at a time.  Everything is working great however, the back button allows users to resubmit a question.  My attempts at preventing this have been unsuccessful.  Man, any help would be so appreciated.  I've got a client breathing down my neck. 

 

 

Here is the code:

 

<?php
if(!session_id()) session_start();
require_once('include/db.inc.php');
require_once('include/auth.php');



if($_GET['new'] == 'true'){ // A

$appDefRecID = '26'; //Static Value



$appDefRecord = $uuDB->getRecordById('php_appdefinition', 26); 

$test = $_GET['id'];

$appDefID = $appDefRecord->getField('__kp_AppDefinitionID');



$title = $appDefRecord->getField('Title');


$description = html_entity_decode(nl2br($appDefRecord->getField('Description_css')));
$instructions = html_entity_decode(nl2br($appDefRecord->getField('Instructions_css')));



$newAppCmd = $uuDB->newAddCommand('php_application');
$newAppCmd->setField('_kf_AppDefinitionID',$appDefID);
$newAppCmd->setField('_kf_UserID',$_SESSION['userid']);

$newApp = $newAppCmd->execute();
$newAppRec = current($newApp->getRecords());
$appRecID = $newAppRec->getRecordId();
$appID = $newAppRec->getField('__kp_ApplicationID');
$newPerformScript = $uuDB->newPerformScriptCommand('php_application', 'php_createApp', $appID);
$scriptResult = $newPerformScript->execute();
$appRecord = $uuDB->getRecordById('php_application', $appRecID);
$appQs = $appRecord->getRelatedSet('PHP_FieldValue');
$_SESSION['total'] =count($appQs) ;
$_SESSION['appRecID'] = $appRecID;
$_SESSION['count'] = 0;
$_SESSION['valueRecID'] = $appQs[$_SESSION['count']]->getField('z_RecID');
	$_SESSION['vRecID'] = array();
	$counter = 0;
	foreach($appQs as $appQ ) {
	$_SESSION['vRecID'][$counter] = $appQ->getRecordId();
	$counter = $counter + 1;
	}
	$qRec = $uuDB->getRecordById('php_fieldvalue', $_SESSION['vRecID'][0]);
$q = $qRec->getField('FieldLabel');
$javaVar1 = $qRec->getField('FieldTime');
$constant = 1000;
$seconds = 60;
$javaVar2 = $javaVar1 * $seconds * $constant ;
}else{ 



$_SESSION['count']++;
$counter =  $_SESSION['count'];
if($_SESSION['count'] == $_SESSION['total']){
header('Location: confirmation.php');
	exit();	
}
if (empty($_SESSION['vRecID'][$counter])) {
    header('Location: error.php');
	exit();	
}
$rec = $uuDB->getRecordById('php_fieldvalue', $_SESSION['vRecID'][$counter-1]);
$sub = $rec->getField('SubmitCheck');
	if ($rec->getField('SubmitCheck')) {
    header('Location: error.php');
	exit();	
}
$qRec = $uuDB->getRecordById('php_fieldvalue', $_SESSION['vRecID'][$counter]);
$q = $qRec->getField('FieldLabel');
$javaVar1 = $qRec->getField('FieldTime');
$constant = 1000;
$seconds = 60;

$javaVar2 = $javaVar1 * $seconds * $constant ;
$_SESSION['currentAppQid'] = $_SESSION['vRecID'][$counter];

$edit = $uuDB->newEditCommand('php_fieldvalue', $_SESSION['vRecID'][$counter-1] );


$value = $_POST['answer'];
$edit->setField('Value', $value );
$edit->setField('SubmitCheck', $_POST['submitCheck']);
$edit->execute();



}




?>

OK, I understand this problem very well, but find that wikipedia entry confusing.

 

Quite simply, after you have processed the POST/GET data, simply redirect the user to a "success" page (e.g. Thank you for your submission") using "header('Location: success.php');". When the user is redirected to that page, all POST/GET data is lost. So, if the user refreshes the page they will just get a refresh of that page, not the processing page.

 

I hope that didn't make it more confusing.

Thanks for the replies.  What I'm really trying to prevent, is the user bypassing the time limits by going back and resubmitting.  Even if I created a separate processing page with a redirect, couldn't the user eventually get to the form page by pressing back enough times? The refresh is actually not a problem sine the code automatically pushes the user to the next question upon refresh.  Thanks again for the quick replies!

Thanks for the replies.  What I'm really trying to prevent, is the user bypassing the time limits by going back and resubmitting.  Even if I created a separate processing page with a redirect, couldn't the user eventually get to the form page by pressing back enough times? The refresh is actually not a problem sine the code automatically pushes the user to the next question upon refresh.  Thanks again for the quick replies!

 

Well, you will need to identify the user in some manner. If this is a system where the user logs in then you will want to store a record in the database that includes the user ID and last submission time. Then whenever a submission is made you will need to check that table to see if enough time has elapsed since the last submission time to allow the new submissions.

 

If this is not a system with known users that log in (i.e. anyone can access the page) then you have some decisions to make. Because it all depends on how fool-proof this needs to be. You can use a cookie to store the last submission time, assuming the user has cookies enabled. This allows the submission to be tracked on a machine by machine basis. But, if you are worried about malicious user's they can disable cookies and/or delete them on each submission.

 

If you don't want to use cookies, you could store a last submission in the database by IP address. BUt, that has drawbacks as well. Users can change/spoof their IP address and it will also cause problems for users that are behind a NAT and are using the same external IP address.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.