1

So I am having a page where there is a submit function. When you click submit you get to a site named send.php I don't want people to be able to refresh the site and that way send the same answer twice or more for spam. I figured that one way of doing this would be to make sure that they come from the submit site, if that is possible. Another way would also be to redirect them if they tried to refresh. Is there any way to do this? Or another way to fix my problem for that matter

Daniel Alsaker
  • 193
  • 3
  • 15
  • 1
    Have a look [here](http://stackoverflow.com/questions/5690541/best-way-to-avoid-the-submit-due-to-a-refresh-of-the-page) it seems to be exactly what you're looking for. – Andrei Jun 08 '16 at 12:52
  • You could set a cookie on their computer for once they submit. Checking the referrer won't work because the user could just go back and submit it again. – chris85 Jun 08 '16 at 12:53
  • Read this http://php.net/manual/en/reserved.variables.server.php you can have the posted data saved in session and check if same data been posted within few seconds then its a duplicate. – Abdul Rehman Jun 08 '16 at 12:55
  • Just set a session variable when you show the form and check for that before you process it (by sending it as a hidden input). And when you do process it, delete the variable, making it valid for only 1 submission. – jeroen Jun 08 '16 at 12:56
  • @Andrew I had thought of doing that as well, but since I have not used that much, I thought that it perhaps wouldn't be such an instant redirect. Thank you. – Daniel Alsaker Jun 08 '16 at 13:06

2 Answers2

0

Have a look at the HTTP_REFERER variable. It will tell you what site the user was on before he came to your site.

It will gives you info like:

192.168.1.10 - - [16/Apr/2008:16:12:36 +1200] "GET /php-http-referer-variable/ HTTP/1.1" 200 2014 "http://www.websitefromexample.com/" Mozilla/5.0 (compatible; Konqueror/3.5; Linux) KHTML/3.5.8 (like Gecko)"

Nacho M.
  • 672
  • 4
  • 9
  • You can also check the superglobal `$_SERVER['HTTP_REFERER']` if it is set, it will contain the string of the domain – Dale Jun 08 '16 at 12:56
0

$_SERVER['HTTP_REFERER'] is supposed to contain the referring page. But:

  • it may be omitted by the client for privacy reasons
  • it may be modified by the client(the contents of it comes from the client's request after all, by protocol design)
  • As mentioned in the PHP documentation: In short, it cannot really be trusted.

Doing a redirect after successfully receiving a submission should do good, as it forwards the user away from your submission processing code(provided you redirect somewhere else..)

But someone with a black hat might still record the request to the server when doing the original, legit submit. And reuse it. So the redirect method should be enough to keep you "safe" from ordinary users, but not from a person who wants to spam your site. I.e it's like a booth where your site sits and accepts submissions, and then politely tells the person who handed in the submission to "move over there". No locks or anything. The person may even ignore the request to move on.

If you:

  1. add some hidden field to your form with some sufficiently-hard-to-guess value(varying, not some constant phrase!)
  2. store it somewhere in the session data, a database or what suits you
  3. rewrite your code to only accept a submission if the value of the hidden field matches your stored value

Then you've put a hatch on your booth, which only opens for those who know the secret code given to them. You've limited the ways an user can access your submission processing. The secret value should be discarded after use, as otherwise it can be reused and loses its purpose..

The user can still alternate between the form page and the submission/form target page to receive new secret values and be allowed to do a new submission each time though. If you want to limit the number of submissions that a user is allowed to make then you should keep track of the number of times a user has requested the form page lately.

..and of course, look for forbidden words etc in your processing code if you need to.

Community
  • 1
  • 1
Torbjörn Stabo
  • 769
  • 4
  • 7
  • Thank you for your response. However, this should not be a problem. I have made it so nothing is sent if any of the input fields are empty, as they would be if someone go directly to the sent page. – Daniel Alsaker Jun 09 '16 at 09:46