Geek Answers Handbook

How can I prevent the database from writing again when the browser reboots / back?

I am building a small web application that writes to a database (Perl CGI and MySQL). The CGI script takes some information from the form and writes it to the database. However, I notice that if I click "Restart" or "Back" in a web browser, it will again write the data to the database. I do not want it.

What is the best way to protect against data overwriting in this case?

+5
database perl cgi idempotent
source share
7 answers

Do not use GET requests to make changes! Be RESTful ; use POST (or PUT), and the browser should warn the user not to restart the request. Redirecting ( using HTTP redirection ) to the receipt page using a regular GET request after a POST / PUT request will allow the page to refresh without receiving a warning about resending.

EDIT:

I assume that the user has somehow registered, and so you already have a way to track the user, for example. session or similar.

You can create a timestamp (or a random hash, etc.) by displaying a form that stores it as a hidden field (in addition to the anti-credential request marker, I'm sure you already have one), and into a session variable (which is safely stored on your server), when you receive a POST / PUT request for this form, you check that the timestamp is the same as in the session. If so, you set the timestamp in the session to something variable and hard to guess (a timestamp associated with some secret string, for example), then you can save the form data. If someone repeats the request now, you will not find the same value in the session variable and reject the request.

The problem with this is that the form is not valid if the user clicks back to change something, and can be a little tough unless you update the money. Therefore, if you have problems with "stupid" users who update and click the "back" button, thereby accidentally rearranging something, just using POST will remind them of this, and redirecting will make it less likely. If you have a problem with malicious users, you should use timestampt too much, although sometimes it will confuse users, if only if users intentionally publish the same message again and again, you will probably need to find a way to block them. Using POST, having a timestam, and even fully comparing the entire database to check for duplicate messages will not help at all if malicious users simply write a script to download the form and send random garbage automatically. (But securing a cross-site request makes this much more difficult)

+17
source share

Using a POST request will cause the browser to try to prevent the user from re-requesting again, but I would recommend using session-based transaction tracking so that the user ignores warnings from the browser and repeats his request, your application will prevent duplication of changes in the database. You can enable hidden input in the form of sending with the value set in the crypto hash, and record this hash if the request is sent and processed without errors.

+6
source share

Itโ€™s convenient for me to keep track of the number of submitted forms that the user completed in his session. Then, when rendering the form, I create a hidden field containing this number. If the user then resubmit the form by clicking the back button, it will send the old #, and the server can say that the user has already submitted the form, having studied what the form says in the session.

Only my 2 cents.

+4
source share

If you are not using any session management (which will allow you to record and track forms), a simple solution would be to include in the form (as a hidden element) a kind of unique identifier that is either part of the main transaction of the database or is tracked in a separate table DB Then, when you submit the form, you check the unique identifier to see if it has already been processed. And every time the form itself is created, you just need to make sure that you have a unique identifier.

+1
source share

First of all, you cannot trust the browser, so any talk about using POST rather than GET is basically nerd flim-flam. Yes, the client may receive a warning in the lines โ€œPerhaps you wanted to resend this data?โ€, But they may very well say โ€œYes, now leave me alone, stupid computerโ€.

And rightly so: if you do not want to duplicate views, then this is your problem to solve, not the user.

You probably have an idea of โ€‹โ€‹what it means to be duplicated. Perhaps this is the same IP address for a few seconds, maybe it is the same blog post name or the URL that was recently submitted. Maybe this is a combination of values โ€‹โ€‹- for example. The IP address, email address, and subject line header of the contact form. In any case, if you manually noticed some duplicates in your data, you should find a way to programmatically identify the duplicate at the time of sending and either mark it for manual approval (if you are not sure), or simply telling the applicant: "Have you double clicked?" (If the information is not surprisingly confidential, you can submit the record you have and say: "Is that what you wanted to send to us? If so, you already did it - hurray")

+1
source share

I did not rely on POST warnings from the browser. Users simply click OK to make the messages disappear.

At any time, you will have a request, which should be once, for example, "make a payment", send a unique token down, which will be sent back with the request. Throw away the token after it is returned, and now you can tell when something is a valid representation (something with a token that is not โ€œactiveโ€). Hysteria active tokens after X amount of time, for example. when the user session ends.

(keep track of the tokens that returned, and if you received them before then, this is not valid.)

+1
source share

Perform a POST every time you modify the data, but never return an HTML response from the message ... instead, return a redirect to GET, which retrieves the updated data as a confirmation page. Thus, there is no need to worry that they refresh the page. If they are updated, all that happens is another extraction that never changes the data.

0
source share

More articles:


All Articles