开发者

Wait 30 seconds in order to allow a new action on PHP and MySQL?

问答 作者:

In my web page a user fill a form who send information to a MySql database. One of the data inputs sent is a date/time, in the format date('l jS \of F Y h:i:s A'); (I can change the format as needed)

So when the user submits the form I want to check if the actual time/date is 30 seconds more 开发者_如何学Gothan the sent time/date in order to allow or not the submission of the form. Thanks!

So you have something like...

<form action="wtv.php" method="POST">
    <input type="hidden" name="date" value="<?php echo date('l jS \of F Y h:i:s A'); ?>" />
    <input type="submit" />
</form>

... and when the user clicks on 'submit' you want to check if the 'date' input's value is from less than 30 seconds ago?

You could do this with something like Ken Keenan suggests... but the problem is that you can't trust the client input. In your comment on jeroen's answer you indicate an awareness that the client scripting is untrustworthy, but that's not limited to the scripting; if you really need this to be secure so that no one can submit this form more than 30 seconds after requesting the <form>, you have to do something else.

The problem is that what the server expects of the "date" input is predictable; if I visit your <form> and open up Firebug or even save the HTML document and open it in notepad, I can guess pretty easily how to update the <input /> so I can submit.

Instead use a token.

Randomly generate a kind of unique, random ID and store it in the session or the database...

$unique = md5(uniqid()).md5(time()); // there are better ways to get a unique random ID
$_SESSION['tokens'][$unique] = time();

Then include the token (not the date/time!) in the <form>...

<form action="wtv.php" method="POST">
    <input type="hidden" name="token" value="<?php echo htmlentities($unique); ?>" />
    <input type="submit" />
</form>

... and on submit check that the time from that token was less than 30 seconds away.

<?php
    // partially borrowed from Ken Keenan's answer...
    if((time() - $_SESSION['tokens'][$_POST['token']]) > 30) {
        echo "Time's up!";
    } 
?>

You can store the submit time in a session variable (regardless of your own date format, just store the result of time() on your server) and check if that variable is set before you take any action on submit.

If you want disallow submit on the browser side, you will need javascript.

example (overly verbose for clarity):

<?php
    session_start();

    if (isset($_SESSION['submit_time']))
    {
         if ($_SESSION['submit_time'] >= (time() - 30))
         {
             die();
         }
    }
    $_SESSION['submit_time'] = time();
?>

If I understand you correctly, you wish to create a form that "expires" after 30 seconds?

I would create a hidden element in the form:

<input name="current_time" type="hidden" value="<?php echo time(); ?>"

You can then check this when the form is submitted:

<?php
if((time() - $_POST['current_time']) > 30) {
  echo "Time's up!";
} 
?>

You could also do it on the client using JavaScript to check on form submission -- but that would depend on the client's clock being roughly correct compared to the server...

If you insist on storing a text version of your datetime, I suggest that you also store a datetime version of your datetime. Then comparisons are easy.

Without javascript, the submission will still happen, but if your processing script uses an UPDATE query like

UPDATE mytable SET wordydatetime='$dayofmonthyearhourminutesecond' 
WHERE realdatetime< DATE_SUB(NOW(), INTERVAL 30 SECONDS) AND record_id=$x;

the update will fail if it is too recent.

ETA:

If you have more complex processing to do than just an update, a quick SELECT will let you determine whether to continue processing the form:

SELECT record_id FROM mytable 
  WHERE record_id=$x 
    AND realdatetime< DATE_SUB(NOW(), INTERVAL 30 SECONDS);

If you get no records back, it means that the form should not be processed.

You could easily do this by having your mysql date be unix_time. Then you would do an insert statement with mktime().

This is the easiest by far way to check if it was done within 30 seconds as the unix time is a second count. So just do a number comparison, mktime() at post, and mktime() at 2nd post, subtract, if result is > 30, do whatever you need to.

Example: (as requested)

do initial INSERT of entry into database, for the DATE/TIME value in your table, use the result of mktime()

if the user tries to post again, check if post exists (or last entry, whatever), get the date (this will be in unix time format ex: '12456771411').

get the current unixtime and do something with it

$time = mktime();
if($time - $row['date'] > 30){
 allow them to post
} else {
 30 seconds didn't pass.. etc;
}

继续阅读:php

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9