Using a hash to check if a page with $ _POST values has been updated

Question

Using a hash to check if a page with $ _POST values has been updated

When submitting a form to the same PHP page, what is the correct method to find if the page was accidentally updated and not sent again?

Here is what I am using now:

$tmp = implode('',$_POST);
$myHash = md5($tmp);

if(isset($_SESSION["myHash"]) && $_SESSION["myHash"] == $myHash)
{
    header("Location: index.php");  // page refreshed, send user somewhere else
    die();
}
else
{
    $_SESSION["myHash"] = $myHash;
}

// continue processing...

Is there something wrong with this solution?

UPDATE: An example of this scenario would be inserting a row into a registration table. You would like this operation to be performed once.

+3

post php forms form-submit hash

Dieseltime Apr 16 '10 at 1:55

source share

3 answers

deceze · Answer 1 · 2010-04-16T03:41:27+0000

, . , , , , , . - .

<?php
    $token = /* a randomly generated string */;
    $_SESSION['_token'] = $token;
?>
<input type="hidden" name="_token" value="<?php echo $token; ?>" />

. , , POST.

Re comment: . , , SO, . , , .

. , .

, , POST, . , , . , . , ( ).

Michael Mrozek · Answer 2 · 2010-04-16T02:07:06+0000

, POST , ,

header("Location: new-page.php");

- .

Dieseltime · Answer 3 · 2010-04-16T05:32:08+0000

Using tokens in combination with a POST / REDIRECT / GET design pattern is the best solution available.

Installing a one-time token will prevent the user from clicking the "Back" button and again trying to submit the form.
Redirecting the user and using the view to display input allows them to remove updates if they wish.

Using a hash to check if a page with $ _POST values ​​has been updated

More articles:

Using a hash to check if a page with $ _POST values has been updated