表单提交的唯一标记似乎不起作用 [英] Unique token with form submit doesn't seem to work
问题描述
这是我想要做的:
防止用户使用唯一标记提交表单两次。我想我在这里有正确的代码,但它仍然没有工作。第一次提交表格时,输出为不要发送两次。我究竟做错了什么?
<?php session_start(); ?>
< html>
< body>
<?php
$ _SESSION ['token'] = md5(session_id()。time());
?>
<?php
if(isset($ _ SESSION ['token']))
{
if(isset($ _ POST ['token']) )
{
if($ _POST ['token']!= $ _SESSION ['token'])
{
echo不要发送两次!
}
}
}
else {
echo谢谢你提交;
}
?>
< form action =<?php echo $ _SERVER ['PHP_SELF'];?>方法= POST >
< input type =hiddenname =tokenvalue =<?php echo $ _SESSION ['token']?> />
< input type =textname =bar/>
< input type =submitvalue =Save/>
< / form>
if(isset($ _ SESSION ['token')')的条件将不会显示出来,因此 ]))始终得到满足,因为您生成令牌并将会话变量直接设置在此if子句之上......这也是为什么在提交第一个消息之后总是会看到不发送两次时间。 加载表单时,您生成一个令牌,将其保存在会话中,并将其放入表单中。
提交表单后,您再次从顶部开始脚本:
您的令牌现在位于帖子变量中。但是你重新创建你的会话令牌。然后你比较帖子和会话。当然它们不匹配,因为你刚刚生成了一个NEW标记,所以它们当然是不相等的。
我为你的代码推荐这个结构:
< html>
< body>
<?php
session_start();
//是否已将表格提交?
if(isset($ _ POST))
{
//表单已被提交
//验证标记
if($ _ POST [ '令牌'] == $ _SESSION ['token'])
{
//代码有效,继续执行过程
}
else
{
echo'无效的标记,请重试!';
}
}
else
{
// FORM NOT SUBMITTED YET
$ token = $ _SESSION ['token '] = md5(session_id()。time()。rand());
//我建议添加rand(),否则总会有一个1秒的窗口,令牌可以翻倍...
echo'< form action ='。$ _SERVER ['PHP_SELF']。'method =post>';
echo'< input type =hiddenname =tokenvalue ='。$ token。'/>';
echo'< input type =textname =bar/>';
echo'< input type =submitvalue =Save/>';
echo'< / form>';
}
?>
< / body>
< / html>
This is what I want to do:
Prevent a user to submit a form twice using a unique token. I think I have the right code here, but it still dosn't work. The output is "Don't send twice" the first time the form is submitted. What am i doing wrong?
<?php session_start(); ?>
<html>
<body>
<?php
$_SESSION['token'] = md5(session_id() . time());
?>
<?php
if (isset($_SESSION['token']))
{
if (isset($_POST['token']))
{
if ($_POST['token'] != $_SESSION['token'])
{
echo "Don't send twice!";
}
}
}
else {
echo "Thank you for submitting";
}
?>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<input type="hidden" name="token" value="<?php echo $_SESSION['token'] ?>" />
<input type="text" name="bar" />
<input type="submit" value="Save" />
</form>
Thank you for submitting will never be displayed, because the condition for if( isset($_SESSION['token']) ) is always fulfilled, because you generate the token and set the session variable directly above this if clause... That's also why you will always see "don't send twice" after submitting the first time.
When loading the form you generate a token, save it in the session, put it in the form.
After submitting the form, you start the script again from the top:
Your token is now in the post variable. But you recreate your session token. then you compare post and session. of course they don't match, because you have just now generated a NEW token, so of course they are not equal.
I recommend this structure for your code:
<html>
<body>
<?php
session_start();
//HAS THE FORM BEEN SUBMITTED?
if(isset($_POST))
{
//THE FORM HAS BEEN SUBMITTED
//VALIDATE THE TOKEN
if($_POST['token'] == $_SESSION['token'])
{
//THE TOKEN WAS VALID, CONTINUE WITH PROCEDURES
}
else
{
echo 'Invalid token, please try again!';
}
}
else
{
//FORM NOT SUBMITTED YET
$token = $_SESSION['token'] = md5( session_id() . time(). rand() );
//i recommend adding rand() otherwise there is always a 1 second window in which the token could be doubled up...
echo '<form action="'. $_SERVER['PHP_SELF'] .'" method="post">';
echo '<input type="hidden" name="token" value="'. $token .'" />';
echo '<input type="text" name="bar" />';
echo '<input type="submit" value="Save" />';
echo '</form>';
}
?>
</body>
</html>
这篇关于表单提交的唯一标记似乎不起作用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
