Re: [PHP] Separation between View and State (The Back Button)

Thu, 13 Jul 2006 13:18:41 -0700 

That will work fine.

The other suggestion half-remembered by a previous poster is to do a
header("Location: ") after you process the post, so that their "Back"
button doesn't take them through the POST again.

However, a user who is intentionally playing with the submit, forward,
and back buttons can quickly prove that this is prone to error.

header("Location: ") also comes with a great deal of subtle issues
such as session cookie problems and HTTP connection waste.

I personally prefer the unique token approach.

YMMV

On Thu, July 13, 2006 1:27 pm, Michael B Allen wrote:
> Let's say you have a "Buy" button that posts a form to a script that
> inserts or increments the quantity of a record in a shopping cart
> table. So you click "Buy" and then "Checkout". Now if you hit the Back
> button it asks the user if they would like to repost the form. If you
> click "Ok" the db script runs again and now they have two items in the
> cart. Not good.
>
> It seems to me this is a fundamental model view controller kind of
> problem. There's no seperation between the view and the controller.
>
> What I'm thinking is that I need to give each form a unique token.
> When
> the form is submitted a new token is generate. So if at any time a
> form
> is reposted the token will be invalid and action regarding the form
> contents can be igored.
>
> Specifically I'm thinking of somthing like:
>
> <?php
>     function token_generate() {
>         return $_SESSION['state_token'] = rand(10000,99999);
>     }
>     function token_matches() {
>         return isset($_POST['t']) && $_SESSION['state_token'] ==
> $_POST['t'];
>     }
>       if (token_matches()) {
>               // insert or update cart contents
>       }
> ?>
>
> <h1>Shopping Cart</h1>
>
> <form action="cart.php" method="post">
> <?php
>       echo "<input name=\"t\" type=\"hidden\" value=\"" . token_generate()
> . "\"/>\n";
> ?>
>
> // display cart contents
>
> I don't get to do much web programming so I'm wondering what the PHP
> crowd thinks of this method. Can anyone improve on this? Is it fatally
> flawed? How would you solve this problem in general?
>
> Thanks,
> Mike
>
> --
> Michael B Allen
> PHP Extension for SSO w/ Windows Group Authorization
> http://www.ioplex.com/
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>


-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to