Form Editing

[Darkness]

Hey.There are people on my site who are using page editing to cheat. On my site, I use a this.disabled function to disable a button when clicked, so people can not click it multiple times. However, people are editing the source, and taking out the disabled part. Is there a way I can disable this or track it?I'm guessing that this can be achieved via Javascript, HTML, PHP, or a combination of them, however I am not sure.Thanks.

[justsomeguy]

You can probably track it somehow, depending what your application does when the button is clicked. If it sends an AJAX request to PHP then the PHP script can keep track of when the button was clicked using the session.

[Darkness]

Hmm.. well, I don't really know anything about AJAX. :S

[justsomeguy]

That was just an example of one thing you could do to track. What you will want to do will depend on what the button does.

[Darkness]

Well, here's an example of the form.

<form action='pagehere.php' method='POST'><input type='hidden' name='Submit' value='1'>Input stuff here.<input type='submit' value='Continue' onclick="this.disabled='true'; this.value='Please Wait...'; this.form.submit();\"></form>

The hidden input field is there because disabled submit fields can not have names.Basically, the form goes to a certain page, of course. That page adds data to the MySQL database. However, people can use source editing to change it to...

<input type='submit' value='Submit'>

That way, they can keep clicking the button rapidly, and the data will be added each time; which allows them to spam.

[justsomeguy]

The PHP page should use the session to keep track of the last time the form was submitted, and take the appropriate action.

[Darkness]

Oh, thanks!

[Praetorian]

Granted I'm not an expert, but it's possible that they're simply disabling javascript for their browser, which I'm guessing would throw a wrench into the way the script works. That's just a guess, but it's something you may want to look into.

[jhecht]

How about if they submit data you not let them go back to the page? What exactly is the issue with this though? If they go to a page through they form, it shouldn't matter if they click it that much, and even if they do, make it send you an email if a user posts more than 1 thing within a few seconds of each other, and also flag them so they can't do it... It's not that hard a process(well, then again, I am a relatively good PHP user... so i guess whats not so hard for me may be for others...). I'm sure we could all help you much more if we knew what else was going on. Is there any more Javascript involved? or what?

[Synook]

Justsomeguy's idea will work all the time (unless they write a script to click, delete cookies, click, delete cookies, etc).

[justsomeguy]

Right. And if they want to go through that much trouble there's not a lot you can do to stop them other then by associating a database record with their IP or something, and they can get around that too.