0

I found some answers like this good one (it use two files one for forms and other for handling) and there are some other answers using external resources (such as databases or simple files).

What I'm looking for is preventing multiple submissions of the same form, especially when the form and the php code are in the same file and without using external files.

This is what I have tried:

<?php //fone.php
if (session_status() == PHP_SESSION_NONE) {
    session_start();
}

if(isset($_SESSION['token']))
    $_SESSION['prv_token']=$_SESSION['token'];

$_SESSION['token']=md5(uniqid());
?>

<html>
    <head><meta charset="utf-8"><title>TEST</title></head>
    <body>
        <?php
            if($_SERVER['REQUEST_METHOD']=='POST' && $_POST['token']==$_SESSION['prv_token']){
                echo "<p>Form Submited</p>";
            }
        ?>
        <form method="post" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF'])?>">
            <input type="hidden" name="token" value="<?php echo $_SESSION['token'];?>">
            Name : <input type="text" name="name"><br>
            Age  : <input type="text" name="age"><br>
            <input type="submit" name="submit">
        </form>
    </body>
</htmL>

This solution works for me, but the code breaks if I use $_SESSION['token'] in other files.

Community
  • 1
  • 1
Az.Youness
  • 2,167
  • 1
  • 24
  • 33
  • 2
    So..... what is your question? – Glubus Feb 15 '16 at 12:15
  • @Glubus Prevent multiple submissions of the same form, in the case of form and the php code are in the same file ... and without using extrnal files – Az.Youness Feb 15 '16 at 12:17
  • Like you state in your question, you've already achieved this. Are you asking for alternatives to your own solution? This is really not the place for that. – Glubus Feb 15 '16 at 12:24
  • Like I said in the last sentence in the question there's a problem with my code, is there a solution for it ?, Or is there better alternatives solutions ?! – Az.Youness Feb 15 '16 at 12:31
  • 1
    I give each form a unique id in a hidden field. After it has been successfully processed I add it to a list in the session that has a key of the form id. Is easy to check if I have already processed it. – Ryan Vincent Feb 15 '16 at 14:21
  • @RyanVincent, good idea, but I have more than about 15 pages and every page contain at least one form, given every form a unique ID by myself seems to be not very elegant ! – Az.Youness Feb 15 '16 at 14:56
  • 1
    Ah, you are quite correct, it isn't fun to do manually. I have a class that generates it automatically. It includes a timestamp and other stuff and it goes in a hidden called 'formstate'. Every form has this field and it is checked as part of the standard form processing when it comes back in. It is part of form security really (CSRF etc.). It is a serialized PHP array that is compressed. – Ryan Vincent Feb 15 '16 at 16:02
  • 1
    Remember I don't record all the unique id's. Just the ones I have processed. I use it on things like `contact` and `data change` forms. A 'search form' or `login form` isn't really a `form` as they don't change data. They change `state`. – Ryan Vincent Feb 15 '16 at 17:35
  • @RyanVincent thnx bro, now things are clearer – Az.Youness Feb 15 '16 at 17:49

1 Answers1

1

IF you are using session, It will be common to all the browser pages. So you need to use different names for sessions

Eg: $_SESSION['your_page_name_token']
Ruby Nanthagopal
  • 596
  • 1
  • 5
  • 17