Wait 30 seconds in order to allow a new action on PHP and MySQL?

Question

In my web page a user fill a form who send information to a MySql database. One of the data inputs sent is a date/time, in the format date('l jS \of F Y h:i:s A'); (I can change the format as needed)

So when the user submits the form I want to check if the actual time/date is 30 seconds more than the sent time/date in order to allow or not the submission of the form. Thanks!

Answer 1

So you have something like...

<form action="wtv.php" method="POST">
    <input type="hidden" name="date" value="<?php echo date('l jS \of F Y h:i:s A'); ?>" />
    <input type="submit" />
</form>

... and when the user clicks on 'submit' you want to check if the 'date' input's value is from less than 30 seconds ago?

You could do this with something like Ken Keenan suggests... but the problem is that you can't trust the client input. In your comment on jeroen's answer you indicate an awareness that the client scripting is untrustworthy, but that's not limited to the scripting; if you really need this to be secure so that no one can submit this form more than 30 seconds after requesting the <form>, you have to do something else.

The problem is that what the server expects of the "date" input is predictable; if I visit your <form> and open up Firebug or even save the HTML document and open it in notepad, I can guess pretty easily how to update the <input /> so I can submit.

Instead use a token.

Randomly generate a kind of unique, random ID and store it in the session or the database...

$unique = md5(uniqid()).md5(time()); // there are better ways to get a unique random ID
$_SESSION['tokens'][$unique] = time();

Then include the token (not the date/time!) in the <form>...

<form action="wtv.php" method="POST">
    <input type="hidden" name="token" value="<?php echo htmlentities($unique); ?>" />
    <input type="submit" />
</form>

... and on submit check that the time from that token was less than 30 seconds away.

<?php
    // partially borrowed from Ken Keenan's answer...
    if((time() - $_SESSION['tokens'][$_POST['token']]) > 30) {
        echo "Time's up!";
    } 
?>

Answer 2

You can store the submit time in a session variable (regardless of your own date format, just store the result of time() on your server) and check if that variable is set before you take any action on submit.

If you want disallow submit on the browser side, you will need javascript.

example (overly verbose for clarity):

<?php
    session_start();

    if (isset($_SESSION['submit_time']))
    {
         if ($_SESSION['submit_time'] >= (time() - 30))
         {
             die();
         }
    }
    $_SESSION['submit_time'] = time();
?>