Php – Preventing duplicate form submissions

formsPHPsubmit

I came up with a technique to prevent duplicate form submission by going back/forward or refreshing the page. And I thought about duscussing it here, I already tested a sample not in production environment, what is flaws that you can identify?

Please note that I am well aware of using Form Tokens, which will defend you against CSRF attacks, and wasn't added in the steps below.

-Generate Form ID for each form, and use it as hidden field in the form:

$formid = microtime(true)*10000;

–On form submit:

Validate from data

Calculate the hash of form fields data

$allvals = '';
foreach($_POST as $k=>$v){
    $allvals .= $v;
}
$formHash = sha1($allvals);

Validate form hash by comparing with previously saved hashes. the session value is binded to each form by $formid variable.

$allowAction = true;
if(isset($_SESSION['formHash'][$_POST['formid']]) && ($_SESSION['formHash'][$_POST['formid']] == $formHash)){
     $allowAction = false;
}

if form hash wasn't found, it means this is the first time form submitted or the form data is changed.
If data saved ( to database, for example), save form hash to session:
```
$_SESSION['formHash'][$_POST['formid']] = $formHash;
```

Full version of the code:
http://thebusy.me/2011/01/06/preventing-duplicate-form-submissions/

Best Answer

A simpler way to achieve what you want is to use redirect on submit. After you process a POST request you redirect, possibly even to the same page. This is a common pattern called "Redirect after POST" or POST/Redirect/GET.

For example:

<?php
if($_POST) {
    // do something

    // now redirect
    header("Location: " . $_SERVER["REQUEST_URI"]);
    exit;
}
?>

<html> ...
<form method="post" action=""> ... </form>

By setting the action to "" then it will submit to itself, at which point the if($_POST) code block will validate to true and process the form, then redirect back to itself.

Of course you probably want to redirect to a different page that shows a "your form has been submitted" response or put the form on a different page and have the HTML of this page be the response.

The benefit of this method is that when you hit the back button it does a GET request so the form is not re-submitted.

On Firefox, it will actually take the submission to itself out of the browser history so when users browse across the web and then hit back, instead of seeing the "thank you" page they see the form page.

Dynamically create `<input>`s in a form and submit it

/**
 * sends a request to the specified url from a form. this will change the window location.
 * @param {string} path the path to send the post request to
 * @param {object} params the parameters to add to the url
 * @param {string} [method=post] the method to use on the form
 */

function post(path, params, method='post') {

  // The rest of this code assumes you are not using a library.
  // It can be made less verbose if you use one.
  const form = document.createElement('form');
  form.method = method;
  form.action = path;

  for (const key in params) {
    if (params.hasOwnProperty(key)) {
      const hiddenField = document.createElement('input');
      hiddenField.type = 'hidden';
      hiddenField.name = key;
      hiddenField.value = params[key];

      form.appendChild(hiddenField);
    }
  }

  document.body.appendChild(form);
  form.submit();
}

Example:

post('/contact/', {name: 'Johnny Bravo'});

EDIT: Since this has gotten upvoted so much, I'm guessing people will be copy-pasting this a lot. So I added the hasOwnProperty check to fix any inadvertent bugs.

Best Answer

Related Solutions

Html – How to disable browser autocomplete on web form field / input tags

JavaScript post request like a form submit

Dynamically create <input>s in a form and submit it

Related Topic

Dynamically create `<input>`s in a form and submit it