PHP prevents users from submitting forms repeatedly

When we submit the form, one limitation that cannot be ignored is to prevent users from submitting the form repeatedly, because it is possible that the user clicks the submit button continuously or the attacker maliciously submits data. Then our processing after submitting the data such as modifying or adding data to database will cause trouble.

So how to avoid the phenomenon of repeated form submission? We can start from many aspects:
First, make restrictions on the front end. The front-end JavaScript is disabled after the button is clicked once. This method simply prevents multiple clicks on the submit button, but the disadvantage is that it will not work if the user disables the JavaScript script.
Second, we can redirect the page after submission, that is, jump to a new page after submission. This mainly avoids repeated submission of F5, but it also has shortcomings.
Third, the database has a unique index constraint.
The fourth step is to verify the session token.
Let’s now learn about a simple method of using session token to prevent repeated submission of forms.
We add an input hidden field in the form, that is, type="hidden", whose value is used to save the token value. When the page is refreshed, the token value will change. After submission, it is judged whether the token value is correct. If it is submitted by the front desk If the token does not match the background, it is considered to be a duplicate submission.

< ?php
/*  * PHP简单利用token防止表单重复提交  */
session_start();
header("Content-Type: text/html;charset=utf-8");
function set_token() {
    $_SESSION[&#39;token&#39;] = md5(microtime(true));
}
function valid_token() {
    $return = $_REQUEST[&#39;token&#39;] === $_SESSION[&#39;token&#39;] ? true: false;
    set_token();
    return $return;
}
//如果token为空则生成一个token 
if(!isset($_SESSION[&#39;token&#39;]) || $_SESSION[&#39;token&#39;]==&#39;&#39;) {  
    set_token(); 
}    
if(isset($_POST[&#39;web&#39;])){  
    if(!valid_token()){  
        echo "token error，请不要重复提交！";  
    }else{  
    echo &#39;成功提交，Value:&#39;.$_POST[&#39;web&#39;];  
    } 
}else{ 
?>  
    <form method="post" action="">  
    <input type="hidden" name="token" value="<?php echo $_SESSION[&#39;token&#39;]?>">  
    <input type="text" class="input" name="web" value="www.jb51.net">  
    <input type="submit" class="btn" value="提交" />  
    </form> 
<?php 
} 
?>　　

The above is a simple example to prevent repeated form submission.
Then in the actual project development, the form token will be processed more complexly, which is what we call token verification. Possible processing There are: verifying the source domain, that is, the source, whether it is an external submission; matching the action to be performed, which is adding, modifying or deleting; the second and most important thing is to construct the token, which can use a reversible encryption algorithm. Be as complex as possible, because plaintext is still insecure.