All geek questions in one place

(PHP) Controls submitting a form on the same page more / less / equally well, like handling on a separate page?

I have a PHP form and I wonder how I should handle the view. I remember when I studied Rails that a special form handler page was created for the behavior, which then redirected the user to the landing page, which would prevent the user from accidentally sending data by clicking the "Back" button and returning to the Form Submission Page.

For my PHP form, in order to avoid such errors (and to ensure security, however, it might play), is it better to send the form data via a message to the processing page that they redirect to the user? Or would it be ok to just process the form data on the same page as the form? If I did the latter, is it possible for the user to accidentally resend data by pressing back / refresh / etc?

+4
source share
3 answers

Post-Redirect-Get - a design template recommended for web forms to prevent re-submission (and what you used on rails)

It doesn't really matter if you are sending to the same page or another, this is a redirect that prevents accidental re-sending. Therefore, you can choose whether to send messages to one page or a separate page depending on the style of your coding and / or application semantics.

+5
source

The same principles apply to PHP. Redirection can help in accidental refreshment of the form. However, you still need to take any precautions to avoid problems with accidental lighting (for example, using one-time tokens, input validation, etc.).

I use my own MVC framework style, which simply has a dispatcher search for form messages in each view on the page and calls the appropriate controller that can process the request (provided that the requirements for sending only once have been met). Then it redirects the browser to the appropriate landing page.

You can post on the same page, of course, but I think this will lead to bad practice, such as mixing too much logic, html and database access together.

+1
source

There is a third way, which I especially love. To separate the logic from the presentation, I like to include a PHP file in every HTML document that requires some kind of processing (for example, displaying dynamic data, processing HTTP POST requests, etc.). I usually keep this file in a separate directory and name it "filename.page.php". Needless to say, this is nothing more than a coding convention, and you can call it something else.

In a sense, this means that you are processing the HTTP POST request in the same file (at least as far as your web server). You can redirect clients anyway using the HTTP Location header as follows:

header("Location: file.php")

As a side note, I will not depend on HTTP POST for security; it's no harder to do arbitrary HTTP POST requests than HTTP GET requests.

0
source

Source: https://habr.com/ru/post/1302715/

More articles:


All Articles