ansaurus

Question

Wait 30 seconds in order to allow a new action on PHP and MySQL?

Answer 1

+2 A:

You can store the submit time in a session variable (regardless of your own date format, just store the result of time() on your server) and check if that variable is set before you take any action on submit.

If you want disallow submit on the browser side, you will need javascript.

example (overly verbose for clarity):

<?php
    session_start();

    if (isset($_SESSION['submit_time']))
    {
         if ($_SESSION['submit_time'] >= (time() - 30))
         {
             die();
         }
    }
    $_SESSION['submit_time'] = time();
?>

jeroen 2010-05-27 19:14:59

all operetions did in client side are security fails cuz the user can hack

DomingoSL 2010-05-27 19:16:48

Your session variables are stored on server side and there are ways to protect your session if you are concerned about that.

jeroen 2010-05-27 19:18:28

FAIL............

DomingoSL 2010-05-27 19:21:09

@DomingoSL - In my opinion jeroen's answer is as of yet the only one which doesn't place too much trust in the client-side.

LeguRi 2010-05-27 19:34:38

Answer 2

A:

You could easily do this by having your mysql date be unix_time. Then you would do an insert statement with mktime().

This is the easiest by far way to check if it was done within 30 seconds as the unix time is a second count. So just do a number comparison, mktime() at post, and mktime() at 2nd post, subtract, if result is > 30, do whatever you need to.

Example: (as requested)

do initial INSERT of entry into database, for the DATE/TIME value in your table, use the result of mktime()

if the user tries to post again, check if post exists (or last entry, whatever), get the date (this will be in unix time format ex: '12456771411').

get the current unixtime and do something with it

$time = mktime();
if($time - $row['date'] > 30){
 allow them to post
} else {
 30 seconds didn't pass.. etc;
}

Jakub 2010-05-27 19:16:26

could you please give me an code example?

DomingoSL 2010-05-27 19:19:53

if you're going to change the column type, it would be better to change it to a datetime. That way all the rich datetime functions, including comparison functions and outputting specific text formats are available. And you don't run into epoch problems.

dnagirl 2010-05-27 19:36:38

Answer 3

+1 A:

If I understand you correctly, you wish to create a form that "expires" after 30 seconds?

I would create a hidden element in the form:

<input name="current_time" type="hidden" value="<?php echo time(); ?>"

You can then check this when the form is submitted:

<?php
if((time() - $_POST['current_time']) > 30) {
  echo "Time's up!";
} 
?>

You could also do it on the client using JavaScript to check on form submission -- but that would depend on the client's clock being roughly correct compared to the server...

Ken Keenan 2010-05-27 19:20:09

you dont understand me. i want to store the time and date in my data base when the form was send, if the user tries to send it again i need to compare the new date time with the one i storeged before to know if is 30 seconds greater.

DomingoSL 2010-05-27 19:24:11

Answer 4

+1 A:

If you insist on storing a text version of your datetime, I suggest that you also store a datetime version of your datetime. Then comparisons are easy.

Without javascript, the submission will still happen, but if your processing script uses an UPDATE query like

UPDATE mytable SET wordydatetime='$dayofmonthyearhourminutesecond' 
WHERE realdatetime< DATE_SUB(NOW(), INTERVAL 30 SECONDS) AND record_id=$x;

the update will fail if it is too recent.

ETA:

If you have more complex processing to do than just an update, a quick SELECT will let you determine whether to continue processing the form:

SELECT record_id FROM mytable 
  WHERE record_id=$x 
    AND realdatetime< DATE_SUB(NOW(), INTERVAL 30 SECONDS);

If you get no records back, it means that the form should not be processed.

dnagirl 2010-05-27 19:21:56

Answer 5

+5 A:

So you have something like...

<form action="wtv.php" method="POST">
    <input type="hidden" name="date" value="<?php echo date('l jS \of F Y h:i:s A'); ?>" />
    <input type="submit" />
</form>

... and when the user clicks on 'submit' you want to check if the 'date' input's value is from less than 30 seconds ago?

You could do this with something like Ken Keenan suggests... but the problem is that you can't trust the client input. In your comment on jeroen's answer you indicate an awareness that the client scripting is untrustworthy, but that's not limited to the scripting; if you really need this to be secure so that no one can submit this form more than 30 seconds after requesting the <form>, you have to do something else.

The problem is that what the server expects of the "date" input is predictable; if I visit your <form> and open up Firebug or even save the HTML document and open it in notepad, I can guess pretty easily how to update the <input /> so I can submit.

Instead use a token.

Randomly generate a kind of unique, random ID and store it in the session or the database...

$unique = md5(uniqid()).md5(time()); // there are better ways to get a unique random ID
$_SESSION['tokens'][$unique] = time();

Then include the token (not the date/time!) in the <form>...

<form action="wtv.php" method="POST">
    <input type="hidden" name="token" value="<?php echo htmlentities($unique); ?>" />
    <input type="submit" />
</form>

... and on submit check that the time from that token was less than 30 seconds away.

<?php
    // partially borrowed from Ken Keenan's answer...
    if((time() - $_SESSION['tokens'][$_POST['token']]) > 30) {
        echo "Time's up!";
    } 
?>

LeguRi 2010-05-27 19:31:28

Wow thats a good answer. Thanks!

DomingoSL 2010-05-27 19:35:54

ansaurus

tags:

views:

answers:

Wait 30 seconds in order to allow a new action on PHP and MySQL?

related questions