I have a form that is submitted to another page for processing .
Id like to prevent people from simply hitting refresh a bunch of times once the form has been submitted to prevent anyone fooling around trying to waste the PHP bandwidth on the server. So can I do something like
The best way IMO is just redirect the user away from the form once the php (or what have) is done processing the data and even disable the submit button (or take them away before the processing is done). Like already stated there are many ways to prevent users from doing this.
Add hidden input to the form, containing that token;
When form is submitted check if token from hidden input is the same as session’s one
Remove token from the session
if ( form is submitted ){
if (empty($_SESSION['csrf_token']) || $_POST['token'] != $_SESSION['csrf_token']){
// this form is bad, we shouldn't trust it
exit;
}
// all good, proccess form data as usual
unset($_SESSION['csrf_token']);
}
This will guarantee two things:
Your form cannot be submitted many times by refreshing a page (flood protection);
Nobody can submit your form from another site (CSRF protection)
I’ve noticed that a lot of people who use isset($_POST['submit']) all still use MySQL_*. So bad practice with deprecated functions = not a very secure website.