1

I would like to implement a multi-form submission prevention into my application, however I'm falied to do it.

I have tried different method, doing it with the Session method, but it does not work.

I actually want to insert data into the DB and send an email to a user. The process takes a little bit of time, like 1 second.

I have tried to create a token in a hidden field in my form, create a session for it too and regenerate it every time the page loads.

The problem is, that within the 1 second the visitor can click about 6-7 times to that button, and it will run the script over and over again.

I have tried to check if the Session equals to the hidden form's value, but they are the same each time, so it doesn't prevent the submission.

Is there any way that I can prevent this kind of vulneralibity?

EDIT:

What I've tried already has worked if I've reloaded the page, so they couldn't resubmit the form twice, but for some reasn it doesn't work, when it gets another request while the other is still being processed.

EDIT2 - Explaining the situation:

I have a file called: view.php. In here I have the form elements, including different textboxes and a submit button. The form type is POST and the action is set to default (submit on the same page).

I also have a file called: model.php. In here I'm doing the checking processes of the form submit.

I also have a file called: controller.php. In here I'm including the above files, so they are connected. First the model.php and at last the view.php.

So when someone clicks on the submit button in View.php, my model.php checks if the textboxes are not empty, etc. and gived back errors if there is a problem. When everything is okay, it allows the app to add the info to the DB and send an email to the user about the confirmation. After that the user gets redirected.

This is the whole process. I'd like to prevent multiple submit without JS and insert plus info to the DB.

Radical_Activity
  • 2,618
  • 10
  • 38
  • 70
  • have you tried disabling the button once clicked? – dev7 Sep 26 '14 at 23:07
  • For instance: http://stackoverflow.com/questions/2830542/prevent-double-submission-of-forms-in-jquery But there many more examples here for different environments. – KIKO Software Sep 26 '14 at 23:08
  • That can be bypassed if the user doesn't have Javascript enabled. – Radical_Activity Sep 26 '14 at 23:08
  • In that case you can give the user a unique ID, store that in a session, and check that they only submit the form once. But often you don't want to do that! – KIKO Software Sep 26 '14 at 23:10
  • How is it possible to check if it's submitted only once? – Radical_Activity Sep 26 '14 at 23:11
  • 1
    Show use the code you have, so we have something to work with. Now we have no idea what we can suggest. – KIKO Software Sep 26 '14 at 23:11
  • 1
    If the user has a unique ID, stored in a session, you can store this with the form data in the database. So each time you store something in the database you check that the user ID is not yet present, or you delete the existing record of that user. – KIKO Software Sep 26 '14 at 23:13
  • The problem is that I'm using an MVC framework, and a whole big system that checks the items before getting the to the DB. It's a system that is already set up. It would be impossible to past all the codes here. – Radical_Activity Sep 26 '14 at 23:13
  • The problem is, that there are no users present. It's a publicly available form. – Radical_Activity Sep 26 '14 at 23:14
  • 1
    All sessions should have an unique ID, anonymous or not. – KIKO Software Sep 26 '14 at 23:15
  • There's a lot of potential solutions to this problem, which one will work for you is very hard to tell without more info. If you're looking to stop accidents, a simple javascript disablement of the button will do. Stopping malicious users can only be done on the server side, as they can fake/disable anything coming from the client. – Krease Sep 26 '14 at 23:15

3 Answers3

3

It can be done in PHP, but I'd say your easiest option is to use javascript, and to simply disable the submit button on the first click.

Vanilla JS:

document.getElementById("yourButton").disabled = true;

jQuery:

$('#yourButton').attr("disabled", true);

Attach either function to your button's click event, and you're all set!

Schlaus
  • 18,144
  • 10
  • 36
  • 64
  • I would rather need not just a temporary solution. – Radical_Activity Sep 26 '14 at 23:12
  • How is this a temporary solution? This is probably the simplest option that will prevent accidental double-clicks. – Krease Sep 26 '14 at 23:13
  • Anyone who doesn't have JS can exploit this protection. – Radical_Activity Sep 26 '14 at 23:15
  • @Radical_Activity If you don't want users to be able to submit the same e-mail twice, then your only option is to check that the e-mail doesn't exist in your database. Users can just as easily manipulate form data being sent, as they can disable javascript. That will invalidate all other checks except a duplicate check. My answer is an effective way to prevent accidental double clicks. – Schlaus Sep 26 '14 at 23:18
  • That might have been the case with ancient browsers back in the 90's, but 99% of the web nowadays won't work without JS - just make it javascript that actually submits the form, and so it'll have to be enabled. – Krease Sep 26 '14 at 23:18
1

If you need to only prevent accidental double-submits, then simply disabling the button with javascript after it's clicked will do the job.

If you need to protect against potentially malicious users, then all bets are off for a client-side solution, as anything coming from the client can be faked or tampered with. This would require user authentication (source ip addresses can be changed, and anonymous users can just clear their session or submit with different browsers), and using your database to store information on whether the user has submitted already (or has a currently running submission).

There's other different ideas in between, of course, depending on how secure you want your solution to be, or other requirements you may have.

Krease
  • 15,805
  • 8
  • 54
  • 86
0

in your php code you could do something like:

session_start();
if(!empty($_POST) && empty($_SESSION['post'])) {
    $_SESSION['post'] = true;
    ... do your code
    unset($_SESSION['post']);
}

so if the post is submitted twice, it won't be accepted.

Maarten van Middelaar
  • 1,691
  • 10
  • 15