(PHP)在同一页面上处理表单提交更多/更少/同样好在单独页面上处理?
I have a PHP form, and I'm wondering how I should handle submission. I remember when learning Rails that the behavior was to have a special handler page for a form, which then redirected the user to a landing page, which would prevent the user from accidentally re-submitting data by hitting the back button and going back to the form submission page.
For my PHP form, to avoid such errors (and for secureness, however it might play in) is it also best to send the form data via post to a handling page, which they redirects the user? Or would it be ok to just handle the form data on the same page as the form? If I did the latter, is it possible for a user to accidentally resubmit data via hitting back/refresh/etc?
我有一个PHP表单,我想知道我应该如何处理提交。 我记得在学习Rails时,行为是为表单创建一个特殊的处理程序页面,然后将用户重定向到登录页面,这样可以防止用户通过点击后退按钮意外重新提交数据并返回到 表单提交页面。 p>
对于我的PHP表单,为避免此类错误(以及安全性,但它可能会发挥作用),最好通过post将表单数据发送到处理页面 ,他们重定向用户? 或者只是处理与表单相同的页面上的表单数据是否可以? 如果我做了后者,用户是否可能通过回击/刷新/等意外重新提交数据? p> div>
Post-Redirect-Get is the design pattern recommended for web-forms to prevent resubmission (and what you used in rails)
It doesn't really matter if you submit to the same page or a different one, it's the redirect which prevents the accidental resubmission. You can therefore choose whether to post to the same page or a separate page depending on your coding style and/or application semantics.
The same principles apply to PHP. Redirection can help against accidental form refreshing. However, you still should take whatever precautions are necessary to avoid problems from accidental refreshing (e.g., using single use tokens, validating the input, etc).
I use my own MVC style of framework that simply has the dispatcher look for form posts on every page view and calls the appropriate controller that can process the request (assuming the submit-only-once requirements were met). It then redirects the browser to the appropriate landing page.
You can post to the same page, of course, but I think it will lead to bad practices, such as mixing too much logic, html, and database access together.
There's a third way to go about this that I am particularly fond of. In an effort to separate logic from presentation, I like to include a PHP file with every HTML document that requires processing of some kind (such as displaying dynamic data, handling HTTP POST requests etc.). I generally store this file in a separate directory and name it "filename.page.php". Needless to say, this is nothing more than a coding convention and you may want to call it something else.
In a sense, this means you're handling the HTTP POST request in the same file (at least as far as your web server is concerned). You can redirect clients anyway, though, by using the HTTP Location header like so:
header("Location: file.php")
As a side note, I wouldn't depend upon HTTP POST for security; it is no harder to make arbitrary HTTP POST requests than HTTP GET requests.