[php prevents repeated submission of forms]

reproduced. https://blog.csdn.net/yanhui_wei/article/details/50772380

When we submit the form, a limitation that cannot be ignored is to prevent the user from submitting the form repeatedly, because it is possible that the user continuously clicks the submit button or the attacker maliciously submits the data, then our processing after submitting the data, such as modifying or adding data to the database will get into trouble.

So how to avoid the phenomenon of repeated form submission? We can start in many ways, starting with the front-end constraints. Front-end JavaScript is disabled after the button is clicked once, that is, disabled. This method simply prevents multiple clicks of the submit button, but the disadvantage is that it will fail if the user disables the JavaScript script. Second, we can do redirect page redirection after submission, that is, jump to a new page after submission, mainly to avoid repeated submission of F5, but there are also shortcomings. The third is that the database does a unique index constraint. Fourth, is to do session token verification.

Let's now look at a simple way to use session tokens to prevent repeated form submissions.

We add an input hidden field to the form, that is, type="hidden", and its value is used to save the token value. When the page is refreshed, the token value will change. After submitting, it is judged whether the token value is correct. If it does not match the background, it is considered to be a duplicate submission.

[php]  view plain copy  

1. <?php   
2.   
3. /*  
4. * PHP simply uses token to prevent repeated form submission  
5. */   
6. session_start();   
7. header("Content-Type: text/html;charset=utf-8");   
8. function set_token() {   
9.     $_SESSION['token'] = md5(microtime(true));   
10. }   
11.    
12. function valid_token() {   
13.     $return = $_REQUEST['token'] === $_SESSION['token'] ? true : false;   
14.     set_token();   
15.     return$return;    
16. }   
17.    
18. //If the token is empty, generate a token   
19. if(!isset($_SESSION['token']) || $_SESSION['token']=='') {   
20.     set_token();   
21. }   
22.    
23. if(isset($_POST['web'])){   
24.     if(!valid_token()){   
25.         echo "token error, please do not submit again!" ;    
26.     }else{   
27.         echo 'Successfully submitted, Value:' . $_POST [ 'web' ];    
28.     }   
29. }else{   
30. ?>   
31.     <form method="post" action="">     
32.         <input type="hidden" name="token" value="<?php echo $_SESSION['token']?>">     
33.         <input type="text"class="input" name="web" value="www.helloweba.com">      
34.         <input type="submit"class="btn" value="提交" />      
35.     </form>   
36. <?php       
37. }   
38. ?>   

The above is a simple example of preventing repeated submission of the form, just for reference. Then in the actual project development, more complex processing will be done on the form token, which is what we call token verification. The processing that may be done includes: verifying the source domain, that is, the origin, whether it is an external submission; matching the action to be performed, adding, modifying or deleting; the second most important thing is to construct a token, which can use a reversible encryption algorithm, as far as possible. May be complicated, because plaintext is still insecure. For the specific algorithm of token verification, you can refer to major PHP frameworks, such as ThinkPHP, which provides a good token verification function.