Only load page if

lukeurtnowski · October 8, 2015, 12:15am

I have a form that is submitted to another page for processing .
Id like to prevent people from simply hitting refresh a bunch of times once the form has been submitted to prevent anyone fooling around trying to waste the PHP bandwidth on the server. So can I do something like

<?php 
$referer = $_SERVER['HTTP_REFERER']; 

if ($referer == 'www.xxx.com/page.php') 
{ 
<HTML>
....
....
} 

else 
{ 
echo "Nice try, IDIOT";
 }

s_molinari · October 8, 2015, 4:35am

What you are looking for is flood protection and there are a number of ways to go about it.

Scott

Pepster · October 8, 2015, 1:42pm

The best way IMO is just redirect the user away from the form once the php (or what have) is done processing the data and even disable the submit button (or take them away before the processing is done). Like already stated there are many ways to prevent users from doing this.

megazoid · October 8, 2015, 2:24pm

You should not rely on HTTP_REFERER since it can be faked easily
Instead, implement basic CSRF protection for your form

Here is how:

Generate some random token before showing the form to user;
Save that token in the session;

$csrf_token = md5(microtime() . rand(0, 9999));
$_SESSION[‘csrf_token’] = $csrf_token;
Add hidden input to the form, containing that token;
When form is submitted check if token from hidden input is the same as session’s one

Remove token from the session

if ( form is submitted ){

 if (empty($_SESSION['csrf_token']) || $_POST['token'] != $_SESSION['csrf_token']){
     // this form is bad, we shouldn't trust it
     exit;
 }

 // all good, proccess form data as usual

 unset($_SESSION['csrf_token']);

}

This will guarantee two things:

Your form cannot be submitted many times by refreshing a page (flood protection);
Nobody can submit your form from another site (CSRF protection)

djsmithme · October 8, 2015, 3:49pm

Second this.

if ($_POST){
//code
}

Will stop refresh exploit (all browser requests are GET) however it won’t help with cURL.

s_molinari · October 8, 2015, 6:16pm

Say what? edit: http://www.w3schools.com/tags/ref_httpmethods.asp

Scott

djsmithme · October 9, 2015, 9:35am

Not clear granted. What I mean is by default if view a url (unless submitted from a form) it will be a GET request.

lukeurtnowski · October 9, 2015, 6:35pm

thank you!

spaceshiptrooper · October 10, 2015, 3:20am

Don’t use isset($_POST['submit']). Read this article.

http://stackoverflow.com/questions/10943060/isset-postsubmit-vs-serverrequest-method-post#comment14373814_10943179

Then read this one.

http://stackoverflow.com/a/29255185

I’ve noticed that a lot of people who use isset($_POST['submit']) all still use MySQL_*. So bad practice with deprecated functions = not a very secure website.

system · January 9, 2016, 10:20am

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.