在不重定向的情况下防止刷新时重复记录插入 [英] Prevent duplicate record insertion on refresh without redirecting

问题描述

我有这个脚本：

if (isset($_POST['comment_posted'])) {
    $user_comment = mysql_real_escape_string($_POST['user_comment']);
    $add_user_comment = Event::addUserComment($id,$user->user_id,$user_comment);
}

在用户提交评论并刷新页面后，他将被呈现与你要重新发送帖子数据警告。如果用户接受，它将重新插入用户评论。

After a user submits his comment, and refreshes the page, he is being presented with the "you are going to resend the post data" warning. And if the user accepts, it will re-insert the user comment.

我知道我可以通过使用标题添加来阻止这种情况 function并将成员重定向到同一页面。是否可以在不重定向成员的情况下解决此问题？

I understand that I can prevent that by adding using the header function and redirect the member to the same page. Is it possible to solve this issue without redirecting the member?

推荐答案

否。您可以执行重定向后获取，也可以随后刷新对话框。

No. You'll either do a post-redirect-get or subsequent refreshes will present this dialog to the user.

如果你选择不做PRG，你需要以某种方式检测提交是否重复。一种简单的方法是使用随机散列/数字（例如称为令牌）注入隐藏参数。提交后，您必须检查您期望的令牌（您可能存储在http会话中的令牌）是否与其他POST参数一起发送。在有效提交时，您将删除/使此令牌无效。这样，当一个POST出现一个无法识别的令牌时，那么它很可能是一个重复或过时的请求。

In case you chose not to do a PRG, you need to somehow detect that the submission is duplicate. One easy way is to have injected a hidden parameter with a random hash/number (e.g called token). Upon submission you'll have to check that the token you expect (which you'll have probably stored in the http session) is being sent together with the other POST parameters. On valid submission you'll remove/invalidate this token. That way when a POST comes which a non recognised token then it's most probably a duplicate or out of date request.

如果您正确实现了这一点，那么您还可以将您的申请证明 csrf 攻击。

If you implement this correctly then you'll also make your application proof to csrf attacks.

这篇关于在不重定向的情况下防止刷新时重复记录插入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！