Geek Answers Handbook

Avoid race conditions in PHP for submitting: Please do not click the submit button more than once!

While online applications said: "Do not click the submit button more than once." This is no longer true, right? How do you protect this, say, PHP?

One solution I'm using involves moving a variable to a session, so you cannot send pages more than once every 10 seconds. Thus, the work with the database will be completed so that you can conduct a normal check. Obviously, this seems like a hack and probably is.

Edit: Thanks everyone for the Javascript solution. This is good, but it's a bit of work. 1) This is the input type = image and 2) The feed should continue to shoot until Spry stuff says this. This is editing - I just complain mostly, since I assume that by looking at the Spry stuff I can figure it out.

Edit: Not that anyone could integrate with Spry materials, but here my last code used Prototype for document.getElementByid. Comments are welcome!

function onSubmitClick() {
    var allValid = true;
    var queue = Spry.Widget.Form.onSubmitWidgetQueue; 
    for (var i=0;i<queue.length; i++) {
        if (!queue[i].validate()) {
            allValid = false;
            break;
        }
    }

    if (allValid) {
        $("theSubmitButton").disabled = true;
        $("form").submit();
    }
}

For some reason, it was necessary to send a second form ...

+5
source share
8 answers

You must perform protection both on the client side and on the server side.

- , . jquery, cletus.

- . , . , CSRF.

+23

, jQuery ( Javascript). :

$("form").submit(function() {
  $(":submit",this).attr("disabled", "disabled");
});

.

+8

, . , JS , (, POST, ) ..

- , POST , . .

+2

, PHP, , "" ( , "" , , " " ), script, , - . .

+2

, - PHP script , , . , , ( , ).

, ; , , . , , (, , ) .

- javascript "", , - , .

+2

Javascript. , , , javascript .

, , .

+1

javascript, ASP.NET AJAX, , .

onclick:

  • , onclick
  • closureId,
  • setTimeout (5000 = 5 )
  • closureId

HTML, test.html, :

< input id = "btnTest" type = "button" value = "test" onclick = "var closId = this.id; this.disabled = true; setTimeout (function() {document.getElementById( closedId).disabled = false;}, 5000); >

, , submit - . , , , - . , .

. closureId "", , - , this.id , this -, DOM.

I could not find another way to get a link to the source event (this.this.id does not work), but lexical coverage somehow allows me to access the closId variable, as it was determined at the time of the initial button click.

Feel free to correct / comment if you know the best way!

+1
source

Usually I turn off the submit button after pressing it. Session description is good against direct attacks, but I don’t want to mix interface logic where it does not belong.

0
source

More articles:


All Articles