Help making unique submit key and tracking IP

IMP_TWI

I have a script which I will paste at the end of this post. What I'm trying to do is add 3 parts to this script to help me stop people from using refresh on pages and reposting duplicate data. First, I need to log their IP, and the "time" they submit their action, then update the DB with their IP, time, and a unique submit key that will be randomly generated on submit, to give the submit action a unique id, which'll force them to have to use the submit key instead of refreshing page. Any help is greatly appreciated.

<?
// CONFIG
//=========================================================================================
$cf_funeraltimer="2592000"; // how long funerals are shown for
$cf_flowercosts=array(
1 => "100",
2 => "500",
3 => "1000",
4 => "10000",
5 => "25000",
6 => "50000",
7 => "100000"
);

// FUNCTIONS
//=========================================================================================
function funeral_list () {
    global $cf_funeraltimer;
    global $prefix;
    $time=time();
    $limit=$time - $cf_funeraltimer;

$sql="SELECT * FROM $prefix.funeral_home WHERE dateofdeath > $limit ORDER BY dateofdeath DESC";	
$sql=mysql_query($sql);

if (mysql_num_rows ($sql) == 0) {
    echo "There are no current funerals in session.";
}
else {

	echo "<table width=50% align=center bgcolor=#2c0101 cellpadding=0>
	<tr bgcolor=#000000 valign=top>
	<td align=center width=25%>
	<font face=tahoma size=1 color=red><b>Who</b></font>
	</td>
	<td align=center>
	<font face=tahoma size=1 color=red><b>Date of Death</b></font>
	</td>
	<td align=center>
	<font face=tahoma size=1 color=red><b></b></font>
	</td>
	</tr>";	

	$color=1;
	while ($row=mysql_fetch_assoc($sql)) {
	    if ($color==1) {
	        $rowcolor="#333333";
	        $color=0;
	    }
	    else {
	        $rowcolor="#444444";
	        $color=1;
	    }

    	echo "<tr bgcolor=$rowcolor>
		<td align=center>
		<font face=tahoma size=1 color=#FFFFFF><b>" . $row[corpse] . "</b></font>
		</td>
		<td align=center>
		<font face=tahoma size=1 color=#FFFFFF>" . date('m/d/Y  h:i:s', $row[dateofdeath]) . "</font>
		</td>
		<td align=center>
		<font face=tahoma size=1 color=#FFFFFF><a href=driver.php?x=funeralhome&act=view&c=" . $row[corpse] . ">Go to Funeral</a></font>
		</td>
		</tr>";
	}

	echo "</table>";

}
}
function funeral_view ($corpse) {
global $prefix;
    $sql="SELECT * FROM $prefix.funeral_home WHERE corpse='$corpse'";
    $sql=mysql_query($sql);
    $deathinfo=mysql_fetch_array($sql);

echo "<center><font face=arial size=5 color=#FFFFFF><b>".$corpse."'s Funeral</b></font><br>
<font face=arial size=2>Died: " . date('m/d/Y  h:i:s', $deathinfo[dateofdeath]) . "<br>
Info on death: " . $deathinfo["infoondeath"] . "</center><br><br>";

echo "<center><font color=#FFFFFF face=arial size=3><a href=driver.php?x=funeralhome&act=leave&c=" . $corpse . "><b>Click here to leave a message</b></a></font><br><br>";

$sql="SELECT * FROM $prefix.funeral_home_messages WHERE corpse='$corpse' ORDER BY `timestamp` DESC";
$sql=mysql_query($sql);

if (mysql_num_rows($sql) < 1) {
    echo "There are currently no flowers at this funeral";
}
else {


    echo "<table width=450 align=center bgcolor=#333333 cellpadding=4>";		

    $color=1;
	while($row=mysql_fetch_assoc($sql))
	{
	    if ($color==1) {
	        $rowcolor="#333333";
	        $color=0;
	    }
	    else {
	        $rowcolor="#444444";
	        $color=1;
	    }

		echo "<tr bgcolor=$rowcolor>
		<td align=center colspan=2><font face=arial size=2 color=#FFFFFF><b>FROM: " . $row[from] . "</td>
		</tr>
		<tr bgcolor=$rowcolor>
		<td align=center><img src=images/game/church/funeralflowers/".$row[flowers].".jpg></td>
		<td align=center width=100%><font size=2>\"".$row[message]."\"</td>
		</tr>";
	}

	echo "</table></center>";
}

}
function pay_respects ($corpse,$msg) {
    global $stats_array;
    global $prefix;
    $msg=stripper($msg);

echo "<center><font color=red><b>";


    $sql="INSERT INTO $prefix.funeral_home_messages VALUES ('$corpse','$stats_array[nickname]','7','$msg','".time()."')";
    $sql=mysql_query($sql); 

    echo "Your message has been left for people to read.";


echo "</b></font><br><br><a href=driver.php?x=funeralhome&act=view&c=" . $corpse . ">Back to Funeral</a></center><br>";

funeral_view($corpse);
}
// PROCEEDURE
//=========================================================================================
echo"<table align=center width=95%><tr><td class=style1 align=center><font color=#FFFFFF face=arial><b>Funeral Home</b></font></td><tr><td class=style2>";
echo "<center><a href=driver.php?x=funeralhome><< Return to Funeral Home</a></center><br>";

if ($act=="") {
    funeral_list();
}
elseif ($act=="view" && $c) {
    funeral_view ($c);
    }
elseif ($act=="leave" && $c) {
    // leave message form
    echo "<br><br>
    <form action=driver.php?x=funeralhome&act=payrespects&c=$c method=post>
    <center><font face=arial size=5 color=#FFFFFF><b>Pay Respects to $c</b></font><br>
    <b>Message</b><br>
    <textarea name=msg cols=44 rows=15 style=\"FONT-WEIGHT: none; FONT-SIZE: 8pt; COLOR: #FFFFFF;  FONT-FAMILY: verdana; BACKGROUND-COLOR: #000000; border-color: #FFFFFF\"></textarea>
    <br>
<center><Br><br><input type=submit value=\"Pay Respects\"></form></center>";
}
elseif ($act=="payrespects" && $c) {
    pay_respects ($c,$msg);
}
?>

djjjozsi

did you see your action in the form?

driver.php?x=funeralhome&act=payrespects&c=$c method=post

why don't you use " around the form element's names?

The method=post will be inserted into the url...

to be sure that all variables has defined in your code, use the error reporting.
Did you set somewhere $c ?

 error_reporting(E_ALL);
 ini_set("display_errors", 1);

IMP_TWI

All the variables are defined in the main index or under a sub category which contains shortcuts of functions etc. I use global variables, the errors that it reports back aren't really errors since the functions are working correctly and are defined on another page that is included in every page that's updated through ajax.

What exactly did you mean by use " around form element?

I forgot to add the name of the fields in DB in my first post, but the fields are called chIP,chTIME, and chSUB on the table user_ch.

Weedpacket

All attribute values in all HTML elements are supposed to be quoted.

IMP_TWI

Not sure why I never quoted it but it was running fine so I never thought it mattered.

NogDog

In XHTML, all attribute values must be quoted. In HTML, attribute values may always be quoted, but do not have to be quoted unless there are spaces in the value (or any other character that might make it ambiguous where the value ends). The best/safest practice is to always quote attribute values and then never have to worry about it again.

djjjozsi

stop people from using refresh on pages and reposting duplicate

The simpliest way is the best. After you insert a new record, or update one, use the header location function to go back to the previous page, if you check the user inputs (if you don't check the required fields that's a big problem) then use an image activation, which is always changing with the page refresh, this method can filter the refreshed page, and gives you safer forms from spam bots.

The level one method is: write the microtime -stamp into a hidden value, and on submit save it into a session variable, lets check if that posted time-stamp has set before (with the session variable) if it is exists then block the insert/update.

IMP_TWI

How exactly would I do that? :S

djjjozsi

for example: phpcode here

IMP_TWI

Thanks 🙂