1

In my comments system, I noticed a small security bug. In the few seconds that it takes a page to load, a user can click the "post" button more than once submitting several comments to the database instead of one. I managed to fix this with a simple Javascript input disable thingy, but then I remembered that people could easily edit this using Firebug or Inspect Element.

Is there some sort of PHP solution to this? I'm pretty new, so please don't go speaking technical words.

Thanks. :)

  • There already is a thread about this, here : http://stackoverflow.com/questions/4614052/how-to-prevent-multiple-form-submission-on-multiple-clicks-in-php – Raf Mar 21 '12 at 10:58
  • Already saw that topic, unfortunately none of the replies helped. –  Mar 21 '12 at 11:06

5 Answers5

1

There isn't a way to just disable that button from the server side. The client is submitting multiple requests that get executed separately by the webserver that creates a new thread for every request. You need to check if the user already has submitted the comment - a way to do that is checking the database first for the last post in that thread / on that post, and if the user already posted you drop the request - or just render the destination page without performing the query.

Thom Wiggers
  • 6,938
  • 1
  • 39
  • 65
0

Well you could use session to store last comment content and time. I suppose thats how Wordpress does it.

So look for

session_start()
$_SESSION
Artjom Kurapov
  • 6,115
  • 4
  • 32
  • 42
0

You could just log something to identify the user alongside the comment like, e.g., the IP and allow just one comment per let's say 5mins and IP and discard any other submitted comment by that IP in the meanwhile.

Sirko
  • 72,589
  • 19
  • 149
  • 183
  • Ip or User, depends on system – safarov Mar 21 '12 at 10:53
  • @safarov It may be possible that the comment system is bound to registering the an account in the first place. In that case you would have a UserId to reference the source of a comment. The Ip is just a simple way of identifying a unique user, there are plenty more to fingerprint a specific user. – Sirko Mar 21 '12 at 10:56
0

You can hide the button on click and make another fake button visible.

0

The most simple solution is to store all data in a session, which you need to determine that comment is unique. A php session is active as long as a user stays on your website, another visitor will have another session. That means, to determine if your visitor clicked the button twice, you only need a) the message and b) on which post (I assume) s/he commented.

An example:

session_start();

// This is something you already have, sort-of
$message = $_POST['message']; // Message from user
$post    = $_GET['id']        // Id of post to which he commented

if (isset($_SESSION['message']
 && isset($_SESSION['id']
 && $message === $_SESSION['message']
 && $post === $_SESSION['id'])
{
  // We found out the user has already posted this
  echo 'Error: you clicked twice!';
  exit;
}

// Process message here as you already do

// Store now this just posted message in a session
$_SESSION['message'] = $message;
$_SESSION['id']      = $post;

With this method you are sure there is no data persisted in the server twice. However, you still need to disable that button with javascript since you cannot disable that button with php as long as your request is going on.

Jurian Sluiman
  • 13,498
  • 3
  • 67
  • 99
  • If the user is able to circumvent the disabled button, I think (s)he will also be able to remove the session ids from the request, rendering all user tracking based on sessions useless. – Sirko Mar 21 '12 at 11:03
  • Thanks very much! Worked perfectly. I'm amazed at the super-fast replies too. Looks like I'll be using this site a lot! –  Mar 21 '12 at 11:04
  • @Sirko, I already solved that issue with an anti-session-hijacking code I found online. –  Mar 21 '12 at 11:05
  • @TerryHarvey I'm not talking about hijacking a session, but submitting a comment without any session at all. Don't know, if this is possible with your app, though. – Sirko Mar 21 '12 at 11:12
  • No, it is not. Thanks for the advice though. :) –  Mar 21 '12 at 11:37
  • @Sirko of course there are ways to circumvent this. Terry asked for a very simple method, this is ;) For a db driven comment system you could query the message+post to give the same result, but that is a bit more complicated. Same holds for hijacking, throttling etc: very useful, but not a direct solution of Terry's question. – Jurian Sluiman Mar 21 '12 at 11:57