469,306 Members | 1,987 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,306 developers. It's quick & easy.

stop someone reloading a page

is there a way in either php or html to disable the back and or the
reload/refresh on a browser so a potential spammer cant just keep refreshing
the page of a form that sends a confirmation email out

thanks in advance
Jul 17 '05 #1
11 15245
chris wrote:
is there a way in either php or html to disable the back and or the
reload/refresh on a browser so a potential spammer cant just keep refreshing
the page of a form that sends a confirmation email out


That's a very common problem in web applications. There's different
solutions:

- have the "successfully sent" page redirect to another page (like back
to where we came from), so the spammer would have to catch a 1-second
time-window to hit F5.

- include a uniqid() in a hidden field of the form, so the system won't
accept more than one form submission with the same ID, e.g. insert the
ID in a db table when the form is being displayed and remove it again
when the form is submitted.

There's prolly lotsa other solutions. These are the one's I've used so
far. (The first one is less work, the second one is more secure).

Jochen

Jul 17 '05 #2
chris wrote:
is there a way in either php or html to disable the back and or the
reload/refresh on a browser so a potential spammer cant just keep refreshing
the page of a form that sends a confirmation email out


In PHP, check the reference page, if the reference page isn't the page from
where the link is to the send-page, then redirect them to another page that
wishes them "happy new year".

//Aho
Jul 17 '05 #3
J.O. Aho wrote:
In PHP, check the reference page, if the reference page isn't the page
from where the link is to the send-page, then redirect them to another
page that wishes them "happy new year".


Won't work... When pressing "F5", the browser sends the same referer
info as before.

Jochen

Jul 17 '05 #4

"chris" <so*****@here.com> schreef in bericht
news:3f********@funnel.arach.net.au...
is there a way in either php or html to disable the back and or the
reload/refresh on a browser so a potential spammer cant just keep refreshing the page of a form that sends a confirmation email out

thanks in advance

This is what I do

// put on top of page
if ($_POST)
{ // do stuff that cant handle refresh
header("Location: http://".$_SERVER['PHP_SELF']); // with or without
vars
exit;
}

Jul 17 '05 #5
Jochen Buennagel wrote:
J.O. Aho wrote:
In PHP, check the reference page, if the reference page isn't the page
from where the link is to the send-page, then redirect them to another
page that wishes them "happy new year".

Won't work... When pressing "F5", the browser sends the same referer
info as before.


Then next option is to use a cookie, I guess most spammers would use another
method than a browser to send, on the page before set a cookie, then on the
sendpage, if there aren't any cookie set, then don't send (and if there is,
delete cookie and send).
//Aho
Jul 17 '05 #6
Floortje wrote:

"chris" <so*****@here.com> schreef in bericht
news:3f********@funnel.arach.net.au...
is there a way in either php or html to disable the back and or the
reload/refresh on a browser so a potential spammer cant just keep

refreshing
the page of a form that sends a confirmation email out


You could use uniqid() to generate a unique id and include it in hidden field in
the form. On your confirmation page, check a log file or mysql db to see if
that confirmation number has been used. If not, send the email and write the id
to the db or file. If it has been used, display the appropriate error message.
This is quick and easy and will prevent the casual or inadvertent "spammer" from
sending multiple emails with refresh and back (though a programmer can get
around it easily). Make sure to clean out the file or db often or else your
script will slow down. You can do this manually, with a cron job, or this
method:

If using a logfile, if the filesize() is greater than n bytes delete all but the
last 10 records and save the file. Occasionally, a user will have to wait a bit
longer (a fraction of a second or, at most, a couple seconds), but you keep all
your code together.

Regards,
Shawn
--
Shawn Wilson
sh***@glassgiant.com
http://www.glassgiant.com
Jul 17 '05 #7
At the top of your script/page check for a cookie or session variable

$varName = session or cookie
if ($varName == "yep")
header("Location: http://www.yourdomain.com/noback.html");

then at this point set a cookie or session variable

$varName = "yep";
setcookie or session

now continue with rest of your page
if the use tries to come back to this page, nope, no way jose
the only way back would be through the page that is supposed to link
to it, and on this page make sure to clear the cookie or session var.

so your prior page, at top:
$varName = "all clear";
setcookie or session
again, as was stated, a programmer can get past this.

Mike
http://gzen.myhq.info -- free online php tools
Jul 17 '05 #8
php
Perhaps you could maintain a database by IP address and reject duplicates.

The requester IP address is available via a $_SERVER['REMOTE_ADDR']
variable.

Good Luck.
"chris" <so*****@here.com> wrote in message
news:3f********@funnel.arach.net.au...
is there a way in either php or html to disable the back and or the
reload/refresh on a browser so a potential spammer cant just keep refreshing the page of a form that sends a confirmation email out

thanks in advance

Jul 17 '05 #9
php wrote:
Perhaps you could maintain a database by IP address and reject duplicates.

The requester IP address is available via a $_SERVER['REMOTE_ADDR']
variable.

Good Luck.
"chris" <so*****@here.com> wrote in message
news:3f********@funnel.arach.net.au...
is there a way in either php or html to disable the back and or the
reload/refresh on a browser so a potential spammer cant just keep


refreshing
the page of a form that sends a confirmation email out

thanks in advance


You could use the GD lib and create a random number ouputted as an image
which has to be inputted into the form and expires as soon as the form
as been used, much like a lot of sites do including Yahoo I belive.

~Cameron
Jul 17 '05 #10

"php" <ph*@php.info> wrote in message
news:Nd******************@newssvr24.news.prodigy.c om...
Perhaps you could maintain a database by IP address and reject duplicates.

The requester IP address is available via a $_SERVER['REMOTE_ADDR']
variable.

Good Luck.

what about two people behind one proxy? this seems to me like a very bad
idea
Jul 17 '05 #11
"chris" <so*****@here.com> wrote in news:3f********@funnel.arach.net.au:
is there a way in either php or html to disable the back and or the
reload/refresh on a browser so a potential spammer cant just keep
refreshing the page of a form that sends a confirmation email out


This sounds like a classic case of an "XY problem" where you want to
accomplish task X (e.g. prevent a particular user from sending out multiple
emails) and get the idea that implementation Y (e.g. disable the back
button) is the way to do it. In most cases, it turns out that
implementation Z (e.g. generate some sort of unique identifier with each
form, and reject multiple submissions of the form with the same ID), is a
better way to accomplish X.
Jul 17 '05 #12

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

2 posts views Thread by Snolly | last post: by
3 posts views Thread by Richard | last post: by
3 posts views Thread by dhnriverside | last post: by
reply views Thread by zhoujie | last post: by
reply views Thread by harlem98 | last post: by
reply views Thread by harlem98 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.