rockinaway Posted September 11, 2011 Share Posted September 11, 2011 I have a form which submits to register.php How can I make it so that when the user gets sent to register.php, and then for some reason they refresh it on register.php, the form doesn't get resubmitted and data isn't added to the database? Quote Link to comment https://forums.phpfreaks.com/topic/246926-prevent-resubmitting-of-form-on-refresh/ Share on other sites More sharing options...
Pandemikk Posted September 11, 2011 Share Posted September 11, 2011 Post data. Your forms should almost always be post data. Quote Link to comment https://forums.phpfreaks.com/topic/246926-prevent-resubmitting-of-form-on-refresh/#findComment-1268107 Share on other sites More sharing options...
mikesta707 Posted September 11, 2011 Share Posted September 11, 2011 well you want to make sure when registering someone usually that the information isn't conflicting with information in the database. This is generally done with unique identifiers of the account (username, or email address for example). You would simply check to make sure there isn't a row with username (or email, or whatever) equal to the username entered in the post data before inserting into the database. This has the added benefit of refusing someone from registering if they use a taken username. Quote Link to comment https://forums.phpfreaks.com/topic/246926-prevent-resubmitting-of-form-on-refresh/#findComment-1268108 Share on other sites More sharing options...
mikesta707 Posted September 11, 2011 Share Posted September 11, 2011 Post data. Your forms should almost always be post data. Not true. Having posts send GET data instead of POST data is just as valid. POST has some added benefits that makes it common with forms, but saying forms should always send POST data is incorrect Quote Link to comment https://forums.phpfreaks.com/topic/246926-prevent-resubmitting-of-form-on-refresh/#findComment-1268109 Share on other sites More sharing options...
Pandemikk Posted September 11, 2011 Share Posted September 11, 2011 Post data. Your forms should almost always be post data. Not true. Having posts send GET data instead of POST data is just as valid. POST has some added benefits that makes it common with forms, but saying forms should always send POST data is incorrect I said almost always. And for the purpose of a person registering, that should be POST not GET. Post is just more secure than get. Quote Link to comment https://forums.phpfreaks.com/topic/246926-prevent-resubmitting-of-form-on-refresh/#findComment-1268111 Share on other sites More sharing options...
Adam Posted September 11, 2011 Share Posted September 11, 2011 As well as mikesta707's suggestion, you should force a redirect back to the same URL. This will effectively remove the previous POST request from the history, and replace it with the new one. Post is just more secure than get. It isn't any more secure at all, it's just hidden from sight. No user input should be considered "secure" until you secure it yourself. The reason POST is used instead of GET, is because that is what it was designed for. Look into the REST architecture. Quote Link to comment https://forums.phpfreaks.com/topic/246926-prevent-resubmitting-of-form-on-refresh/#findComment-1268113 Share on other sites More sharing options...
KevinM1 Posted September 11, 2011 Share Posted September 11, 2011 Post data. Your forms should almost always be post data. Not true. Having posts send GET data instead of POST data is just as valid. POST has some added benefits that makes it common with forms, but saying forms should always send POST data is incorrect Websites should be semantic and RESTful. According to the HTTP spec, GET is for retrieving data, while POST is for updating data*. Forms can be used for both actions, so the proper method to use is based on the intent of the form - is it sending field values to the server in order to retrieve more data based on what's contained in those fields, or is it trying to update the back end data with the values of the fields? Use GET for the former, POST for the latter. I said almost always. And for the purpose of a person registering, that should be POST not GET. Post is just more secure than get. Wrong. POST has two advantages over GET: 1. It cannot be manipulated by what's in the browser's address bar. 2. It can send more data. Advantage 1 isn't much of an advantage at all. There's nothing stopping anyone with bad intent from making their own form and posting it to your form handler. There's no inherent security built into POST. Thinking you're safe for using it is wrong. EDIT: Technically, POST is used for creating data, while PUT is used for updating. However, since hardly any popular language/framework exposes/uses PUT naturally, both creating and updating is relegated to POST. Quote Link to comment https://forums.phpfreaks.com/topic/246926-prevent-resubmitting-of-form-on-refresh/#findComment-1268114 Share on other sites More sharing options...
rockinaway Posted September 11, 2011 Author Share Posted September 11, 2011 Basically it's a registration form. Usually, I would do checks for the same email/username/IP address, but in this case people can register with the same username/email/IP address.. i.e. have multiple accounts.. which is why it's proving to be more confusing and finding a good method is more difficult. Once the form has been submitted to register.php, I do redirect with a header() statement, however I managed to someone resubmit the form when testing and so I wanted to find a way to avoid this... Quote Link to comment https://forums.phpfreaks.com/topic/246926-prevent-resubmitting-of-form-on-refresh/#findComment-1268121 Share on other sites More sharing options...
Pandemikk Posted September 11, 2011 Share Posted September 11, 2011 I'm fully aware of all the benefits of POST. I don't know why I only listed one, and yes "Safer" is one since less users will manipulate post data then data in the URL. Basically it's a registration form. Usually, I would do checks for the same email/username/IP address, but in this case people can register with the same username/email/IP address.. i.e. have multiple accounts.. which is why it's proving to be more confusing and finding a good method is more difficult. Once the form has been submitted to register.php, I do redirect with a header() statement, however I managed to someone resubmit the form when testing and so I wanted to find a way to avoid this... If you're allowing the same username then of course someone can register with testing more than once. You're not being very clear. Perhaps you want a unique Id for each user? Then consider `userid`, make sure it auto increments. As for "Resubmitting the form". Do you mean you only want one person to register once? Again, you're unclear. Quote Link to comment https://forums.phpfreaks.com/topic/246926-prevent-resubmitting-of-form-on-refresh/#findComment-1268124 Share on other sites More sharing options...
rockinaway Posted September 11, 2011 Author Share Posted September 11, 2011 Okay, I'll pinpoint what I want. I am allowing users to register multiple times with the same usernames etc. I already have the userid that auto increments. HOWEVER, I DO NOT want to allow the user to register multiple accounts very quickly. For example, I don't want it so that if they press submit and then do it again and again and again in quick succession. I want some method of stopping them from re-registering for say an hour. As for the resubmitting. When I submitted the form, it hovered on register.php for a while before redirecting. I managed to stop the page on register.php and then kept refreshing the page and with each refresh a repeat account was generated. I was hoping there would be a similar way to stop this quick repeat registration. Also, on a slight side note, how can I 'timeout' user sessions? Which method would you recommend as I have read a few.. Quote Link to comment https://forums.phpfreaks.com/topic/246926-prevent-resubmitting-of-form-on-refresh/#findComment-1268128 Share on other sites More sharing options...
Adam Posted September 11, 2011 Share Posted September 11, 2011 If users can have multiple accounts under the same username, I would consider rethinking the schema to remove the duplication. This would then allow you to add the unique constraint and prevent any accidental resubmissions. Out of curiosity, are you able to reproduce the problem? If so how is it happening? I've never experienced this problem before. I'm fully aware of all the benefits of POST. I don't know why I only listed one, and yes "Safer" is one since less users will manipulate post data then data in the URL. You have to consider the person who would try to manipulate the data; they're going to have a clue about what they're doing. Quote Link to comment https://forums.phpfreaks.com/topic/246926-prevent-resubmitting-of-form-on-refresh/#findComment-1268129 Share on other sites More sharing options...
Adam Posted September 11, 2011 Share Posted September 11, 2011 I am allowing users to register multiple times with the same usernames etc. I already have the userid that auto increments. HOWEVER, I DO NOT want to allow the user to register multiple accounts very quickly. For example, I don't want it so that if they press submit and then do it again and again and again in quick succession. I want some method of stopping them from re-registering for say an hour. Create a column that stores the datetime the user registered an account. As they create another, validate it's not within an hour based on when they registered the previous account. ---- Going back to my last post, that wouldn't solve the issue I wasn't thinking straight! Quote Link to comment https://forums.phpfreaks.com/topic/246926-prevent-resubmitting-of-form-on-refresh/#findComment-1268131 Share on other sites More sharing options...
rockinaway Posted September 11, 2011 Author Share Posted September 11, 2011 Hmm, well it's just happened once where the page has hovered before getting to it's final destination. It's not MAJOR but it worries me a little as there is the potential there to refresh the page and create another account. It's making it quite difficult to find a method. Could I potentially set some sort of session variable in the form and then unset this as the FIRST thing when the form is submitted? Then if the form is refreshed on a page, I could check for this session var and it won't exist. Quote Link to comment https://forums.phpfreaks.com/topic/246926-prevent-resubmitting-of-form-on-refresh/#findComment-1268132 Share on other sites More sharing options...
Pandemikk Posted September 11, 2011 Share Posted September 11, 2011 You have to consider the person who would try to manipulate the data; they're going to have a clue about what they're doing. That's just false. There's many more scripts kiddies and wannabe hackers than actual ones. I have a much bigger problem of people trying to exploit url variables than I've ever had people trying to exploit post data. This is purely my own expierence, though. HOWEVER, I DO NOT want to allow the user to register multiple accounts very quickly. For example, I don't want it so that if they press submit and then do it again and again and again in quick succession. I want some method of stopping them from re-registering for say an hour. Do you have sessions set up? I'd suggest a mixture of sessions and IP-address logging to prevent people from registering. For example, on each registration store an IP and dateline. When a user registers, grab all the registrations made in the past hour and check their IP-address against the stored one their. You actually may not want to use sessions, since a session can be changed just by closing the browser while the IP-address takes a bit more than that to change. Keep in mind, people WILL be able to bypass this. As for the resubmitting. When I submitted the form, it hovered on register.php for a while before redirecting. I managed to stop the page on register.php and then kept refreshing the page and with each refresh a repeat account was generated. How are you submitting the data? Through the url? If so, switch to post, that should solve the problem. The check above should also stop this. http://prajapatinilesh.wordpress.com/2009/01/14/manually-set-php-session-timeout-php-session/ For setting sessions. Quote Link to comment https://forums.phpfreaks.com/topic/246926-prevent-resubmitting-of-form-on-refresh/#findComment-1268134 Share on other sites More sharing options...
rockinaway Posted September 11, 2011 Author Share Posted September 11, 2011 Okay yeah thanks, I've decided to put a few IP address checks in as I was storing this data. As for the session timeout thing, are they any methods using solely PHP script and no editing of the php.ini? Quote Link to comment https://forums.phpfreaks.com/topic/246926-prevent-resubmitting-of-form-on-refresh/#findComment-1268136 Share on other sites More sharing options...
Pandemikk Posted September 11, 2011 Share Posted September 11, 2011 http://php.net/manual/en/function.ini-set.php Although it depends on how your server is set up. Most shared hosts don't allow you to change the values. Quote Link to comment https://forums.phpfreaks.com/topic/246926-prevent-resubmitting-of-form-on-refresh/#findComment-1268140 Share on other sites More sharing options...
rockinaway Posted September 11, 2011 Author Share Posted September 11, 2011 Yeah that's why i'm looking at alternate methods. Okay another question, sorry for so many! I'm doing a check on IP addresses and previous join time of a user. I have stored the times using time() as a timestamp. Now how can I compare two timestamp values? I mean what number would I check for if I was look for a 2 minutes difference or 10 minutes difference etc? Quote Link to comment https://forums.phpfreaks.com/topic/246926-prevent-resubmitting-of-form-on-refresh/#findComment-1268143 Share on other sites More sharing options...
Pandemikk Posted September 11, 2011 Share Posted September 11, 2011 Yeah that's why i'm looking at alternate methods. Okay another question, sorry for so many! I'm doing a check on IP addresses and previous join time of a user. I have stored the times using time() as a timestamp. Now how can I compare two timestamp values? I mean what number would I check for if I was look for a 2 minutes difference or 10 minutes difference etc? Simply math here. A unix timestamp, which is what time() returns, is simply the number of seconds since January 1st 1970. So 2 minutes would be 120 seconds, and 10 minutes would be 600 seconds. http://php.net/manual/en/function.strtotime.php Is also useful. But if you're doing it by such small time periods, it would be better just to input the number of seconds as an integer. Quote Link to comment https://forums.phpfreaks.com/topic/246926-prevent-resubmitting-of-form-on-refresh/#findComment-1268160 Share on other sites More sharing options...
rockinaway Posted September 12, 2011 Author Share Posted September 12, 2011 Okay thanks, will try this Quote Link to comment https://forums.phpfreaks.com/topic/246926-prevent-resubmitting-of-form-on-refresh/#findComment-1268256 Share on other sites More sharing options...
rockinaway Posted September 12, 2011 Author Share Posted September 12, 2011 I'm having issues with the timestamp. It seems to change very quickly and by thousands even though the value entered in the database is completely different. For example, the timestamp entered into the database is 1315754757 but within seconds when I check it on the next page it is 1315827008. I am not altering the values at all, just using time(). Could it be my database structure? :s Quote Link to comment https://forums.phpfreaks.com/topic/246926-prevent-resubmitting-of-form-on-refresh/#findComment-1268296 Share on other sites More sharing options...
AyKay47 Posted September 12, 2011 Share Posted September 12, 2011 I'm having issues with the timestamp. It seems to change very quickly and by thousands even though the value entered in the database is completely different. For example, the timestamp entered into the database is 1315754757 but within seconds when I check it on the next page it is 1315827008. I am not altering the values at all, just using time(). Could it be my database structure? :s the time in your database is changing frequently? will be hard to diagnose without seeing your code Quote Link to comment https://forums.phpfreaks.com/topic/246926-prevent-resubmitting-of-form-on-refresh/#findComment-1268297 Share on other sites More sharing options...
Adam Posted September 12, 2011 Share Posted September 12, 2011 Is there always a ~20 hour leap? As AyKay47 says, we'll need to see the code. Quote Link to comment https://forums.phpfreaks.com/topic/246926-prevent-resubmitting-of-form-on-refresh/#findComment-1268309 Share on other sites More sharing options...
rockinaway Posted September 12, 2011 Author Share Posted September 12, 2011 Always that, it's going to be difficult to show you the code as there is stuff spread across a number of files. The time in my database isn't but i'll try explaining it as best as I can. A user registers and I use time() to store the time they register at in the database. On the following page (which the form submits to) I want to check the current time with the time the user registered at for security. However, when I use time() again on this page, it's suddenly much further along than the value stored in the database just a couple of seconds ago! The time is stored in the database with a INT datatype and length of 20, nothing else is set for it. Quote Link to comment https://forums.phpfreaks.com/topic/246926-prevent-resubmitting-of-form-on-refresh/#findComment-1268348 Share on other sites More sharing options...
AyKay47 Posted September 12, 2011 Share Posted September 12, 2011 so you're saying that when you compare time() to the time stored in your db that was stored a few seconds ago.. the time difference is 20 hours? Quote Link to comment https://forums.phpfreaks.com/topic/246926-prevent-resubmitting-of-form-on-refresh/#findComment-1268371 Share on other sites More sharing options...
rockinaway Posted September 12, 2011 Author Share Posted September 12, 2011 Yes.. pretty strange to me too :s Quote Link to comment https://forums.phpfreaks.com/topic/246926-prevent-resubmitting-of-form-on-refresh/#findComment-1268411 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.