Jump to content

Recommended Posts

Hi

 

I have a problem as title says with form resubmission. I think all know what i mean.

 

When i process form, i redirect to another page, and if i hit back button in browser it give me a page with "Confirm form resubmission", and if i press F5 i got pop-up window and it process form again even if i unset($_POST); data.

<?php

include '../config.php';

// process form
if (isset($_POST['submit'])) {

	$username = trim($_POST['username']);
	$password = trim($_POST['password']);
	$email 		= trim($_POST['email']);

  // check if username is in use
	if ($users->user_exists($username) === true) {
		$error = '<div class="alert alert-warning alert-dismissible fade-in">
                	<button type="button" class="close" data-dismiss="alert" aria-hidden="true">×</button>
                	Username in use, please choose another one.
              	  </div>';

  // check if email alrady registered
	} elseif ($users->email_exists($email) === true) {
		$error = '<div class="alert alert-warning alert-dismissible fade-in">
                	<button type="button" class="close" data-dismiss="alert" aria-hidden="true">×</button>
                	Email in use, please choose another one.
              	  </div>';
	} else {
		$error = "success";
    // unset post variables
    unset($_POST);
    header("refresh:5;url=users.php");
    exit();
	}
}

?>

Get rid of the refresh stuff and use a Location header instead. See Post/Redirect/Get.

 

Your name and e-mail checks are bogus, and they allow anybody to check if a particular e-mail address is registered at your site. This is a privacy violation.

This is a admin script, when adding a user to check if email exists, and why is bogus ? It's normal on register site too that you give a message to a user that email is in use.

 

Where is problem ?

 

This is in class Users

	public function email_exists($email)
	{
		$query = $this->db->prepare("SELECT email FROM users WHERE email = :email");
		$query->bindParam(':email', $email);
		$query->execute();

		if ($query->rowCount() > 0) {
			return true;
		} else {
			return false;
		}
	}

It is not normal to expose the e-mail address of your users. This is private data. Imagine a website for, say, drug addicts stating “Yup, joe.blow@example.com is one of our users.” Clearly that's a problem.

 

Even if you're dealing with a less sensitive topic, it's still your responsibility to protect the personal data of your users. This means not giving it away, neither directly nor indirectly. If you want to tell the user that the e-mail address is already registered, send them an e-mail. Then only the legitimate owner will get the message.

 

Both checks are also subject to time-of-check-to-time-of-use race conditons. If two users ask for the same unused name at the same time, they both get it, because the check happens before the insertion. You need to do the check and the insertion in a single atomic operation. MySQL can do that for you: Just make the columns UNIQUE, do the insertion, then catch all errors triggered by a violation of the UNIQUE constraint.

 

As pseudo code:

try:
  insert_data()
catch constraint violation:
  if duplicate name:
    print("Sorry, this name is already taken.")
  if duplicate email address:
    send_email("You are already registered with this address. Did you forget your password?")
  • Like 1

So i need to redirect like

 

header("Location: success.php?msg=ok");

 

and in success.php page

<?php

if (isset($_GET['msg'])) {
	if ($_GET['msg'] == 'ok') {
		header("Location: users.php");
		unset($_POST);
		exit();
	}
}

?>
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.