[RESOLVED] Loophole-Delete $_POST["x"]

[sumwungye]

Welp, that sucks. Guess I'll just have to live with it. Yeah.

[MyFriendIsATaco]

That's not necessarily the solution. You will just have to employ duplicate checking on the server side through many different various solutions. It's hard to give any specific solutions for you without knowing exactly what your goals and what you're working with.

[edit]
Here's a pretty basic implementation using sessions:

PHP Code:

<?php
session_start();

$post = serialize($_POST);

if(!isset($_SESSION['requests'])) $_SESSION['requests'] = array();
else if(in_array($_SESSION['requests']), $post) exit();

$_SESSION['requests'][] = $post;

//continue on with your script
?>

What this does is pushes a serialized version of the POST request into an array of all requests. But first, it just checks is that exact serialized string already exists. If it does, it means the request has been made and simply exits out of the script to prevent further unwanted execution.
[/edit]

[sumwungye]

Sorry, but that code is just a little bit over my head.

I'm sure it's not such a big deal I can't delete $_POST variables, I can live with it...

[MyFriendIsATaco]

It's not that you can't delete the POST variables. You're completely missing the point that I've reiterated a few times already. When the page is refreshed, all the data is resent from the browser. No matter how you look at it, it is resent and treated as a completely new request. There is no way to avoid that no matter what language you use.

And that code would be just a copy and paste to use kinda deal. Stick it at the top of your page, and it should work.

[sumwungye]

Well I tried the code, my page wouldn't work, I moved a parenthesis, it worked again, I uploaded the saved page, went to it on Firefox, sent some data from the Flash file, reloaded the page, clicked "OK" to the

The page you are trying to view contains POSTDATA. If you resend the data, any action the form carried out (such as a search or online purchase) will be repeated. To resend the data, click OK. Otherwise click Cancel.

message, and saw that it rewrote the data again? Hmm...maybe I changed the code wrong? Well, here it is...

Code:

session_start();
$post = serialize($_POST);
if (!isset($_SESSION['requests'])) {
$_SESSION['requests'] = array();
} else if (in_array($_SESSION['requests'], $post)) {
exit();
}
$_SESSION['requests'][] = $post;

I changed the if statements to have brackets, since I think it looks better.

Let me know if this is right...

[MyFriendIsATaco]

Oops, I did leave out a parenthesis, and I have the order of parameters for the in_array() function backwards. Sorry about that. Here should be a revised version:

PHP Code:

<?php
session_start();

$post = serialize($_POST);

if(!isset($_SESSION['requests'])) $_SESSION['requests'] = array();
else if(in_array($post, $_SESSION['requests'])) exit();

$_SESSION['requests'][] = $post;

//continue on with your script
?>

Try that out and see how it works.

(This is all untested, mind you.)

[sumwungye]

Hmm...

Everything below the point of your code just doesn't load...weird...

I tried to move it around, but the same thing happens, it loads everything up to your code, then just stops......

I have no clue what happened: if the code wasn't grammatically correct, none of the page would load, but only the php code below doesn't.

Does anyone know why?

[MyFriendIsATaco]

I'll take a look at this at some point tonight and actually test it and see what I get.

[MyFriendIsATaco]

Ok, sorry for the delay, but I just used my exact example, and it worked perfectly:

post.html

PHP Code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>

    <title>untitled</title>
    
</head>

<body>

<form action="post.php" method="post">
    <input type="text" name="text1" /><br />
    <input type="text" name="text2" /><br />
    <input type="submit" value="Submit" />
</post>

</body>
</html> 


post.php

PHP Code:

<?php
    session_start();
    
    $post = serialize($_POST);

    if(!isset($_SESSION['requests'])) $_SESSION['requests'] = array();
    else if(in_array($post, $_SESSION['requests'])) exit('Data already sent!');

    $_SESSION['requests'][] = $post;

    //continue on with your script
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>

    <title>untitled</title>
    
</head>

<body>

<p>Yay!</p>
<pre><?php echo $post; ?></pre>
<pre><?php print_r($_SESSION); ?></php>

</body>
</html>

I also put it up here: http://ydekproductions.com/post.html

It will never let you send duplicate data. If you type a '1' into both boxes the first time, you'll get the Yay message. If you go back and send the same data again or hit Refresh, you'll get the Data already sent! error.

[sumwungye]

Well, after some research of "exit()", I found why it wasn't working before...it terminated my script at the top!

After rewriting of my script, I got a step closer...but I'm not quite there.

I sent some data the first time, then, once the page loaded, the data wasn't sent. Then, I refreshed the page, and it still didn't get sent...Here's my code...

PHP Code:

<?php
//other code
session_start();
$var = $_POST["var"];
$var0 = $_POST["var0"];
$var1 = $_POST["var1"];
$var2 = $_POST["var2"];
$post = serialize($_POST);
if(!isset($_SESSION["requests"])) {
$_SESSION["requests"] = array();
if (isset($var) && isset($var0) && isset($var1) && isset($var2)){
$opener = fopen("document.txt", "a");
fwrite($opener, "@".$var."@".$var0."@".$var1."@".$var2."\n");
fclose($opener);
}
}
$_SESSION["requests"][] = $post;
//more other code
?>

Maybe now you can help me work it into my code...

[MyFriendIsATaco]

Well, after some research of "exit()", I found why it wasn't working before...it terminated my script at the top!

After rewriting of my script, I got a step closer...but I'm not quite there.

I sent some data the first time, then, once the page loaded, the data wasn't sent. Then, I refreshed the page, and it still didn't get sent...Here's my code...

Isn't that what you wanted to happen? You wanted to prevent multiple duplicate requests. It "exit()s" out so that further execution is halted. It will only allow the first request.

[sumwungye]

PHP Code:

<?php
//other code
session_start();
$var = $_POST["var"];
$var0 = $_POST["var0"];
$var1 = $_POST["var1"];
$var2 = $_POST["var2"];
$post = serialize($_POST);
if(!isset($_SESSION["requests"])) {
$_SESSION["requests"] = array();
if (isset($var) && isset($var0) && isset($var1) && isset($var2)){
$opener = fopen("document.txt", "a");
fwrite($opener, "@".$var."@".$var0."@".$var1."@".$var2."\n");
fclose($opener);
}
}
$_SESSION["requests"][] = $post;
//more other code
?>

The code above is only a small portion of my php code. It is at the top, so exiting would do more than keep the files from being written. I need a code like one that says...

if ($_POST variables == session variables from before){
do not write them to file document.txt;
} else if (!($_POST variables == session variables from before)){
write them to file;
}
go on with code;
...

So either way it continues the code afterwards...

So I need to know, what's wrong with the above code?

[MyFriendIsATaco]

Your code is all messed up beyond me explaining what's wrong, so I'm going to modify my code for you so it continues code execution:

PHP Code:

<?php
    session_start();
    
    $post = serialize($_POST);

    if(!isset($_SESSION['requests'])) $_SESSION['requests'] = array();

    if(!in_array($post, $_SESSION['requests']))
    {
        //your file writing code here
    }

    $_SESSION['requests'][] = $post;

    //continue on with your script
?>

[sumwungye]

Thanks! The code works perfectly.