use unique tokens to prevent double-submission of payments in the web UI

(closes: Bug#320)

2 files changed, 8 insertions, 2 deletions

diff --git a/httemplate/docs/upgrade8.html b/httemplate/docs/upgrade8.html
index b243eba75..2c7008a6c 100644
--- a/httemplate/docs/upgrade8.html
+++ b/httemplate/docs/upgrade8.html
@@ -192,6 +192,9 @@ CREATE INDEX cust_credit_refund1 ON cust_credit_refund ( crednum );
 CREATE INDEX cust_credit_refund2 ON cust_credit_refund ( refundnum );
 CREATE UNIQUE INDEX cust_pay_batch_pkey ON cust_pay_batch ( paybatchnum );
 CREATE UNIQUE INDEX part_svc_column1 ON part_svc_column ( svcpart, columnname );
+CREATE INDEX cust_pay2 ON cust_pay ( paynum );
+CREATE INDEX cust_pay3 ON cust_pay ( custnum );
+CREATE INDEX cust_pay4 ON cust_pay ( paybatch );
 </pre>
 
   <li>If you are using PostgreSQL, apply the following changes to your database:
diff --git a/httemplate/edit/cust_pay.cgi b/httemplate/edit/cust_pay.cgi
index 27d36eb54..f6ae7b299 100755
--- a/httemplate/edit/cust_pay.cgi
+++ b/httemplate/edit/cust_pay.cgi
@@ -32,6 +32,8 @@ if ( $cgi->param('error') ) {
 }
 my $_date = time;
 
+my $paybatch = "webui-$_date-$$-". rand() * 2**32;
+
 my $p1 = popurl(1);
 print header("Post payment", '');
 
@@ -111,11 +113,12 @@ print qq!<TR><TD ALIGN="right">Check #</TD><TD BGCOLOR="#ffffff"><INPUT TYPE="te
 
 print qq!<TR><TD ALIGN="right">Auto-apply<BR>to invoices</TD><TD><SELECT NAME="apply"><OPTION VALUE="yes" SELECTED>yes<OPTION>no</SELECT></TD>!;
 
+print "</TABLE>";
+
 #paybatch
-print qq!<INPUT TYPE="hidden" NAME="paybatch" VALUE="">!;
+print qq!<INPUT TYPE="hidden" NAME="paybatch" VALUE="$paybatch">!;
 
 print <<END;
-</TABLE>
 <BR>
 <INPUT TYPE="submit" VALUE="Post payment">
     </FORM>