Preventing duplicate/malicious form input with a unique ID

Question

I reckon every page that has a form will need a unique ID generated. How would one go about storing, retrieving, and verifying this ID in an online environment?

Would you create a new database and run an INSERT query on every page that has a form on it? Followed up by a SELECT query on the forms target page to verify?

Would you then need to manually run a script that checks for old IDs to delete them? Or is there a more efficient method to all of this?

Edit: This is to prevent a script that executes a major action with a relatively simply query from being abused. Say limited_event.php can be POSTed to with a createNewReservationAutomatically variable that does just that, creating a temporary reservation with whatever contact details were submitted for manual verification later.

If the script is requested repeatedly with those variables, it will eventually fill up all available spots (and generally flood your database).

From my understanding referring URIs can be spoofed and are thus unreliable. What's a web developer to do? You have my upvote if you don't say recaptcha.

Doesn't the URI make for a perfectly adequate unique ID? – eggyal Mar 27 '15 at 09:04 — eggyal, Mar 27 '15 at 09:04
@eggyal I'm afraid that may not be the case here. See edit. – John Smith Mar 27 '15 at 10:09 — John Smith, Mar 27 '15 at 10:09

score 1 · Accepted Answer · edited May 23 '17 at 11:43

1

You seem to be asking 3 questions: how to prevent duplicate submissions, how to "reserve" spots, and how to protect a form from malicious input.

To prevent duplicate form submission, use http://en.wikipedia.org/wiki/Post/Redirect/Get
For reservations, see https://stackoverflow.com/questions/tagged/reservation?sort=votes
To protect forms from malicious input you need to do server-side validation, use XSS, CSRF and brute force countermeasures

edited May 23 '17 at 11:43

Community

1
1

answered Mar 28 '15 at 17:12

Neil McGuigan

46,580
12
123
152

Awesome, I am currently using the `Post > Redirect > Get` method and have the reservation system nearly figured out. As far as CSRF (and double clicks on the PRG's submit button) is something like this recommended? https://stackoverflow.com/questions/10466241/new-csrf-token-per-request-or-not – John Smith Mar 29 '15 at 07:57
1

@JohnSmith https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29 is your best reference. They have a PHP library on their site. – Neil McGuigan Mar 29 '15 at 08:23

Preventing duplicate/malicious form input with a unique ID

1 Answers1