Multipurpose PHP Page - Prevention of Data Abuse 1

[ruffy]

.......................
My multipurpose PHP page shows all feedback letters to the website - by default.
At the bottom of this page an <a> element lets the user recall this page – only now the page only displays the form for user feedback.

Simple "If" logic accomplishes this (Either display all letters, or display just the input form).

The problem is: The user may retrieve and re-submit his data repeatedly - simply by hitting the browser's "back" button and resubmitting the form.

To prevent this potential data abuse, I need to erase the form's original input, right after the database update.

I think for this I need access to the DOM. But javascript’s onload event handler won’t cut it because the 1st time the page loads the IF logic prevents the FORM structure in the DOM to be invoked.

Here's my code’s skeletal structure within the page's body element. Someone suggested “cookies” but without more specifics, I’m still lost.

<?php
if (isset($_GET['userInput'])) {
?>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<label>Type your input here:<textarea name="ltrtext" rows="10" cols="40"></textarea></label>
<input type="submit" value="Submit" />
</form>
<?php
} else {// -- Default Page Display --
// I connect to database
// Insert feedback (if any) into the database
// I display all feedback letters
// And here, at the end of the list, I let the user trigger display of the feedback form
echo '<p><a href="' . $_SERVER['php_self'] . '?userInput=1">Add Your Input!</a></p>';
}
?>

 

[jpadie]

To prevent this potential data abuse, I need to erase the form's original input, right after the database update.

don't do this. include a hidden field in your form that has a unique id in it. store the unique id in a session variable and on submission compare the values. if they compare, allow the db write and then delete the session var. if they don't compare don't allow the db write.

each time the page is displayed, generate a new unique id and store it in the form.

it's only a few lines of code and is done at the server side so is more secure than js.

 

[ruffy]

When you say, "On submission, compare the values" you're telling me to set up an eventhandler inside the <input> tag - are you not?

If that's so, it takes me away from externalizing my javascript code into external .js files (which I learned is the most efficient way to write code, keeping the javascript outside of the markup code).

But probably I'm off the right path because the thought of setting up the eventhandler outside the markup is much more than, as you say, "only a few lines of code."

Can you help me out again?

 

[webdev007]

I do not think that jpadie's solution is JS based
This is only based on session
Every time the form is resubmitted the session generates a new ID
So by doing something like if (id_1 == id_2) etc…
Allows you to weed through multiple submits

 

[jpadie]

exactly (to webdev007)

off the top of my head something like this might work.

<?
session_start();
function displayForm(){
echo <<<EOL
<form method="post" action="{$_SERVER['PHP_SELF']}">
<input type="hidden" name="uid" value="{$_SESSION['uid']}"/>
Type your name: <input type="text" name="name" /> <br/>
<input type="submit" value="submit" name="submit"/>
EOL;
}
if (isset($_POST['submit'])){
  if (testuid()=== true){
   setUID();
   processform();
  } else {
   echo "you have already submitted this form. Don't be naughty<br/>";
   displayForm();
  }
} else {
  setUID();
  displayform();
}
function setUID() {
  $_SESSION['uid'] = uniqid ("uid_", true);
}
function testUID(){
  if (empty($_SESSION['uid'])) {return false;}
  if (empty($_POST['uid'])) { return false; }
  return ($_SESSION['uid'] === $_POST['uid'];
}
?>