Smart way to generate a FORM key with PHP

Question

I have a form, in whmcs that I want user to only be able to submit once, so they cant submit it and refresh to resubmit... I was thinking about unsetting $_POST or redirecting, but neither would work in this situation, how would I generate a key and make it so its only usable once? Can't use mysql.

possible duplicate of [How to Prevent Users from Submitting a Form Twice](http://stackoverflow.com/questions/16814157/how-to-prevent-users-from-submitting-a-form-twice) — Gajus, Apr 13 '14 at 17:31

score 3 · Accepted Answer · answered Nov 07 '11 at 14:31

3

Why not store a random key in the session? That's how most CRSF token systems work: When loading the form, generate the key and save it in the session and include it in the form. When submitting, compare the keys and delete the saved key.

If you just don't want the user to accidentally resubmit a successfully submitted form, the link from @zerkms' comment is what you want: http://en.wikipedia.org/wiki/Post/Redirect/Get

answered Nov 07 '11 at 14:31

ThiefMaster

310,957
84
592
636

yep, create a random key, put it in the session and the form and compare on receiving the POST. You Could do something in the Form with Javascript, but as this is on client side, you couldnt rely on that. – Flo Nov 07 '11 at 14:33

score 1 · Answer 2 · answered Nov 07 '11 at 14:33

1

The most common way to avoid double-posting is to do

header('location: /'.$your_url_here);

after you complete your actions. So you just redirect to the same page, but without $_POST.

answered Nov 07 '11 at 14:33

Roman

3,799
4
30
41

1

I would recommend to add `exit();` after the header – Tech4Wilco Nov 07 '11 at 14:34
nope cant do that as page requires a $_POST['id'] at all times. – Saulius Antanavicius Nov 07 '11 at 14:51

fred · Answer 3 · 2016-07-10T21:58:50.750

I realize this is an old question but I recently had the same problem. None of the Post/Redirect/Get solutions appear to work on WHMCS if you want to stay on the productdetails page (for example) even if you are switching to another smarty template file after POST. Probably because it needs $_POST[id'] and that goes away after a refresh. So the closest I could get was having it go back to the products list page which is not what I want and probably not what the original poster wants.

The solution I finally came up with was to add a $_SESSION[submitted] variable after the form was submitted. You will have to figure out the logic yourself depending on what you are doing.

My Logic goes something like:

if ($_SESSION['submitted'] == 1 && !isset($_POST['somecustomkey'])) { unset($_SESSION['submitted']); }

That is at the top and resets the "submitted" session key if your POST form data does not exist.

Then add a check before you write the info to your database or whatever.

if ($_SESSION['submitted'] != 1) { //Do some stuff with $_POST form data $_SESSION['submitted'] = 1; }

I think this fits in well with the intended purpose of $_SESSION and easy to implement.

score 0 · Answer 4 · answered Nov 07 '11 at 14:32

Set a session or cookie when the form has been submitted and check if it exists beforehand.

You could also store information in a database such as their IP and browser if you wanted a permanent check, but this has it's own problems so your never going to stop someone 100% of the time.

Smart way to generate a FORM key with PHP

4 Answers4