Only load page if

I have a form that is submitted to another page for processing .
Id like to prevent people from simply hitting refresh a bunch of times once the form has been submitted to prevent anyone fooling around trying to waste the PHP bandwidth on the server. So can I do something like

$referer = $_SERVER['HTTP_REFERER']; 

if ($referer == '') 

echo "Nice try, IDIOT";

What you are looking for is flood protection and there are a number of ways to go about it.


The best way IMO is just redirect the user away from the form once the php (or what have) is done processing the data and even disable the submit button (or take them away before the processing is done). Like already stated there are many ways to prevent users from doing this.

You should not rely on HTTP_REFERER since it can be faked easily
Instead, implement basic CSRF protection for your form

Here is how:

  1. Generate some random token before showing the form to user;

  2. Save that token in the session;

    $csrf_token = md5(microtime() . rand(0, 9999));
    $_SESSION[‘csrf_token’] = $csrf_token;

  3. Add hidden input to the form, containing that token;

  4. When form is submitted check if token from hidden input is the same as session’s one

  5. Remove token from the session

    if ( form is submitted ){

     if (empty($_SESSION['csrf_token']) || $_POST['token'] != $_SESSION['csrf_token']){
         // this form is bad, we shouldn't trust it
     // all good, proccess form data as usual


This will guarantee two things:

  1. Your form cannot be submitted many times by refreshing a page (flood protection);
  2. Nobody can submit your form from another site (CSRF protection)

Second this.

if ($_POST){

Will stop refresh exploit (all browser requests are GET) however it won’t help with cURL.

Say what? edit:


Not clear granted. What I mean is by default if view a url (unless submitted from a form) it will be a GET request.

thank you!

Don’t use isset($_POST['submit']). Read this article.

Then read this one.

I’ve noticed that a lot of people who use isset($_POST['submit']) all still use MySQL_*. So bad practice with deprecated functions = not a very secure website.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.