0

Hi

I have a form page (form.php) which calls a seperate PHP page to insert a new record (insert.php). Insert.php then redirects to a listing page (list.php) using

header('Location: list.php?z='.$access);

($access is the user id and priveledge level and is passed through all pages as our company does not allow cookies or session variables)

My problem is that if the user clicks refresh on list.php the script from insert.php is rerun because the URL is still showing insert.php with the $Get arrays. This results in a second identical record being inserted.

How can I prevent this problem?

Any help would be appreciated

3
Contributors
3
Replies
4
Views
5 Years
Discussion Span
Last Post by Stretty
1

Sending privilege and user ids via querystring is really asking for trouble. Anybody could change the data and as no cookies or session data may be queried, the will be no check. :(

Why do they not allow session vars? Sounds odd.

Refreshing the page will obviously cause a rerun of the scripts. You may be able to obviate this with:

if(isset($_SERVER['HTTP_REFERER'])){
   //run the script as it comes from a redirect (probably)
}else{
   //this is a refresh
}

This is not very reliable, but may work for you.

You *should* ensure that your querystring data is totally secure - difficult in your case. You could do soemthing with a confirmatory hash:

$user_id = 3;
$priv = 2;
$conf = md5("my f1rst 5alt" . $user_id . "my sec0nd 5alt" . $priv);

So that you build the querystring thus:

$qs = "?user=$user_id&priv=$priv&conf=$conf";
 ...
<a href="somepage.php<?php echo $qs;?>">...</a>

The check the top of every page for the correct conf that matches the $_GET equivalents:

$user_id = $_GET['user'];
$priv = $_GET['priv'];
$conf = $_GET['conf'];

if($conf == md5("my f1rst 5alt" . $user_id . "my sec0nd 5alt" . $priv)){

}

You need to check for the existence of $_GET though, or you may get an error.

0

Sending privilege and user ids via querystring is really asking for trouble. Anybody could change the data and as no cookies or session data may be queried, the will be no check. :(

Why do they not allow session vars? Sounds odd.

Refreshing the page will obviously cause a rerun of the scripts. You may be able to obviate this with:

if(isset($_SERVER['HTTP_REFERER'])){
   //run the script as it comes from a redirect (probably)
}else{
   //this is a refresh
}

This is not very reliable, but may work for you.

You *should* ensure that your querystring data is totally secure - difficult in your case. You could do soemthing with a confirmatory hash:

$user_id = 3;
$priv = 2;
$conf = md5("my f1rst 5alt" . $user_id . "my sec0nd 5alt" . $priv);

So that you build the querystring thus:

$qs = "?user=$user_id&priv=$priv&conf=$conf";
 ...
<a href="somepage.php<?php echo $qs;?>">...</a>

The check the top of every page for the correct conf that matches the $_GET equivalents:

$user_id = $_GET['user'];
$priv = $_GET['priv'];
$conf = $_GET['conf'];

if($conf == md5("my f1rst 5alt" . $user_id . "my sec0nd 5alt" . $priv)){

}

You need to check for the existence of $_GET though, or you may get an error.

Thanks Ardav, your first suggestion works great. Sorry for my late reply, my real job took up all my time.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.