Protection against repeated processing POST request
Inspired by this topic .
Actually, it's about how I, in my projects, do a check for re-entering POST or GET parameters into the script. Namely: when generating the form, I add a certain unique key to the hidden input, which I record in some log table. When sending requests to the script, it performs the necessary actions and sets the received key to the status of completion. Well, it’s actually further simple - to make a check in a script that accepts data, if a key is not accidentally used.
')
After that, you can already give 302 or 303, as you like. Yes, at least give nothing, telling the user the results of the execution of scripts (although less methodologically correct).
The method works not only for transactions, payments, etc. - but for any operations with the base.
Of the minuses - a couple of additional requests to the database, but I consider the insert and the choice of a single record - not a very critical loss, in favor of the overall security of the script. In addition, I use the method additionally to create logs of work.
The purpose of the post - to give advice to beginners, to do the above - a few lines of code. Also note that the method is rational if changes are made to the database or files, ie, repeated execution can affect the integrity of the data.
Thanks for attention.
Actually, it's about how I, in my projects, do a check for re-entering POST or GET parameters into the script. Namely: when generating the form, I add a certain unique key to the hidden input, which I record in some log table. When sending requests to the script, it performs the necessary actions and sets the received key to the status of completion. Well, it’s actually further simple - to make a check in a script that accepts data, if a key is not accidentally used.
')
After that, you can already give 302 or 303, as you like. Yes, at least give nothing, telling the user the results of the execution of scripts (although less methodologically correct).
The method works not only for transactions, payments, etc. - but for any operations with the base.
Of the minuses - a couple of additional requests to the database, but I consider the insert and the choice of a single record - not a very critical loss, in favor of the overall security of the script. In addition, I use the method additionally to create logs of work.
The purpose of the post - to give advice to beginners, to do the above - a few lines of code. Also note that the method is rational if changes are made to the database or files, ie, repeated execution can affect the integrity of the data.
Thanks for attention.
Source: https://habr.com/ru/post/86280/
All Articles