0
<form action="test.php" method="POST">
HTML CODE
</form>
<button type="submit" name="test" value="1">Buy</button>

 ---> test.php

if(isset($_POST['test'])) {

PHP CODE

}

I've included test.php above that html form, but when I click on submit over and over again before the page runs the php code and loads the whole page again, it runs the php code as many times as I clicked

How do I make sure that one cannot abuse 'submit' button over and over to run the php code again and again? I only want the first click to be considered.

Can someone help please.

i0N77
  • 43
  • 7
  • `onclick="$(this).attr('disabled', true);"` - just use javascript to disable the button when it's clicked. Sure, it can be re-enabled pretty easily with inspect element, but by the time they could do that, the page will have already been submitted. If you are worried about them re-enabling the button, you could simply just do `onclick="$(this).remove();"` to completely remove the button from the DOM on click – GrumpyCrouton Sep 24 '18 at 19:31
  • You are looking for the concept of "session". That allows to control the "flow" a user takes inside an application as opposed to only be able to react on a single, isolated interaction with the user interface. Having a session context allows to to decide whether you want to grant the _requested_ action of the user or not. – arkascha Sep 24 '18 at 19:33
  • Where exactly should I place that javascript code? and would I have to replace "this"(in your code) with my submit value ="test" ? @GrumpyCrouton – i0N77 Sep 24 '18 at 19:40

1 Answers1

0

Good way would be to include some kind of captcha. I personally prefer Recaptcha from Google (https://www.google.com/recaptcha/intro/v3beta.html)

It does not show up at all and you can verify it for any incoming request.

To get it started embed the following JS in your html:

<script src='https://www.google.com/recaptcha/api.js'></script>

and then replace your submit button:

<button
  class="g-recaptcha"
  data-sitekey="YOUR_PUBLIC_SITE_KEY"
  data-callback="YourOnSubmitFn">
Buy
</button>

Last thing remaining is to check from php if the code was right :)

POST 'https://www.google.com/recaptcha/api/siteverify' with secret, response and remoteip -> then allow the user to the function, else just abort

wodka
  • 1,320
  • 10
  • 20
  • I got the sitekey and replaced it, but it doesn't run the php code anymore. I've added name="test" above class="g-recaptcha...So why isn't it working? – i0N77 Sep 24 '18 at 19:57
  • you will actually get the verification response in the callback function - after that you would have to verify it with the api call to siteverify – wodka Oct 01 '18 at 15:48