Re: [PHP] capturing reloads

Wed, 30 Jul 2003 09:05:45 -0700

My personal favourite is to logically separate actions and views, which is very easy to do and is virtually foolproof.

This way a user submits a form to a page that outputs nothing. This page does its work, then redirects to another page which only shows data. This is invisible to the user, and the browser doesn't remember anything about the action page. If the user clicks refresh, they will not be performaing any actions, just refreshing the view. They would have to manually go back and resubmit the form to repost the data.

If you need to use data from your action on your screen, just use the session...

An (untested, and off the top of my head) example of this is below:

<?php

session_start();

if (isset($_REQUEST['action']))
{
        // do something
        $_SESSION['action_data'] = 'action_data';
        session_write_close();
        header("Location: {$_SERVER['SCRIPT_NAME']}?screen=foo");
}
else if (isset($_REQUEST['screen']))
{
        // show the page
        print "Here's the results from my action:";
        print_r($_SESSION['action_data']);
}
else
{
        // default operation (welcome page, etc)
        header("Location: {$_SERVER['SCRIPT_NAME']}?screen=default");
}

?>

HTH.
Pete


Curt Zirzow wrote, On 2003/Jul/30 8:58 AM:
* Thus wrote Diana Castillo ([EMAIL PROTECTED]):

anyone know how to catch if someone has reloaded a page? 


The way I prevent reloads is with a combination of session
variables and an extra form field, here is how I go about it:

form_page.php:
<?
$formhash = md5(uniq(rand() . time()));
$_SESSION['formhash'] = $formhash;

// Add this to your form:
?>
<input type="hidden" name="_formhash_" value="<?php echo $formhash?>">


process_page.php:
<?

// grab the session var and test its existance
if ( $formhash = $_SESSION['formhash']) ) {

// clear out hash in session so if the user refreshes this
// page and has a _formhash_ var it will be considered bad
unset($_SESSION['formhash']); 


  // test the form var  against the session
  if ($formhash != $_REQUEST['_formhash_']) ) {
    // user did not come from the form that generated page
    // so hash is invalid
  }

  }
} else {
  // invlalid data, has no hash
}

This should be generic enough so it can be used on all form
processing pages without any modifications.

You do have to make sure that the form_page.php does not get cached
by the browser.

HTH,

Curt 



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to