Protection against reprocessing a POST request
Inspired by this theme .
Actually, this is about how I do a check in my projects for re-entry of POST or GET parameters into the script. Namely: when generating the form, I add a certain unique key to the hidden input, which I write to some log table. When sending requests to a script, it performs the necessary actions and sets the received key to the status of completion. Well, actually further it is simple - to make a check in a script that receives data, is the key used by chance.
After that, you can already give 302 or 303, as you like. Yes, at least do not give anything away, telling the user the results of the scripts (although methodologically less correctly).
The method works not only for transactions, payments, etc. - but also for any operations with the database.
Of the minuses - a couple of additional queries to the database, but I consider insert and the choice of a single record - not a very critical loss, for the sake of the overall security of the script. In addition, I use the method additionally to create work logs.
The purpose of the post is to give advice to beginners, to do the above - a few lines of code. I’ll also draw attention to the fact that the method is rational if changes are made to the database or files, that is, repeated execution can affect data integrity.
Thanks for attention.
Actually, this is about how I do a check in my projects for re-entry of POST or GET parameters into the script. Namely: when generating the form, I add a certain unique key to the hidden input, which I write to some log table. When sending requests to a script, it performs the necessary actions and sets the received key to the status of completion. Well, actually further it is simple - to make a check in a script that receives data, is the key used by chance.
After that, you can already give 302 or 303, as you like. Yes, at least do not give anything away, telling the user the results of the scripts (although methodologically less correctly).
The method works not only for transactions, payments, etc. - but also for any operations with the database.
Of the minuses - a couple of additional queries to the database, but I consider insert and the choice of a single record - not a very critical loss, for the sake of the overall security of the script. In addition, I use the method additionally to create work logs.
The purpose of the post is to give advice to beginners, to do the above - a few lines of code. I’ll also draw attention to the fact that the method is rational if changes are made to the database or files, that is, repeated execution can affect data integrity.
Thanks for attention.