Re: [PHP] Double click problem

Thu, 20 Mar 2008 09:17:08 -0700 

----- Original Message ----
From: Eric Butera <[EMAIL PROTECTED]>
To: Lamp Lists <[EMAIL PROTECTED]>
Cc: tedd <[EMAIL PROTECTED]>; php-general@lists.php.net
Sent: Thursday, March 20, 2008 11:00:19 AM
Subject: Re: [PHP] Double click problem

On Thu, Mar 20, 2008 at 10:39 AM, Lamp Lists <[EMAIL PROTECTED]> wrote:
> the way I solved the "click back button" issue (simplified vresion):
>
>  confirmation page (conf.php) -> transfer page (tp.php) -> thank you page 
> (typ.php)
>
>  #conf.php
>  # after the form is submitted and confirmed
>  header('location: tp.php?url=typ.php');
>  exit;
>
>  #tp.php
>  header('location:$_GET['url']);
>  exit;
>
>  and, if visitor clicks on back button on thakyou page he will go actually to 
> the transfer page - which will send him back to thankyou page
>  ;)
>
>  -ll
>
>
>
>
>
>  ----- Original Message ----
>  From: tedd <[EMAIL PROTECTED]>
>  To: php-general@lists.php.net
>  Sent: Wednesday, March 19, 2008 11:43:06 AM
>  Subject: Re: [PHP] Double click problem
>
>  At 4:19 PM +0000 3/19/08, Richard Heyes wrote:
>  >tedd wrote:
>  >// ...
>  >
>  >Your first (and the quickest by far) method to employ would be to
>  >disable the submit button using Jabbascript when the form is
>  >submitted. That will stop the vast majority of occurrences. You
>  >could also employ an intermediary page which actually does the card
>  >processing and when complete redirects to the "thank you" page. ie.
>  >
>  >    Form --> "Please wait..." page --> "Thank you" page
>
>  That's in place. The person clicks the "confirm purchase" and they
>  are taken to a "confirm and thank you page".
>
>  The problem here is two fold -- 1) clicking the "confirm
>  purchase"button twice, which I think js will stop; 2) and clicking
>  the back-button which the token should stop.
>
>  Now, I just need to develop a test for this. Sometime writing a test
>  is more of a problem than writing the solution.
>
>  Thanks for everyone's help.
>
>  Cheers,
>
>  tedd
>
>
>  --
>  -------
>  http://sperling.com  http://ancientstones.com  http://earthstones.com
>
>  --
>  PHP General Mailing List (http://www.php.net/)
>  To unsubscribe, visit: http://www.php.net/unsub.php
>
>
>
>      
> ____________________________________________________________________________________
>  Looking for last minute shopping deals?
>  Find them fast with Yahoo! Search.  
> http://tools.search.yahoo.com/newsearch/category.php?category=shopping

Allowing unscrubbed user data in a header is a really bad idea.

- http://en.wikipedia.org/wiki/HTTP_response_splitting
- http://www.owasp.org/index.php/Open_redirect


I agree with you to use exactly this way is bad idea.
But, as I said on the begining of my post it's "simplified version", to get my 
point. My code on tp.php actually use sveral validations before forward to 
thank you page :D

-ll


      
____________________________________________________________________________________
Looking for last minute shopping deals?  
Find them fast with Yahoo! Search.  
http://tools.search.yahoo.com/newsearch/category.php?category=shopping

Reply via email to