form security

[OLM3CA]

hello.
I have a form including name,surname,age etc... If the user miss one of them,the form alerts the user that he/she missed a part but when they fill all of them and submits the form,The form submitted.but the problem is when you refresh page everytime the page submitted with the same datas.

I use

[code]$_POST['name'] = "";
$_POST['surname'] ="";
$_POST['age'] = "";[/code]

after if the form values entered.
But nothing changes.if you refresh the page ,the form submitted everytime it refreshed.

[willfitch]

A quick fix to this could be the following scenario:

Let's assume your script name is called contact.php. 

1. Make your POSTed form action contact.php?somethere_here
2. Once validation is complete, and the user has passed, insert the data and header back to contact.php.

[OLM3CA]

I am including this page in index.php and form action is :

[code]action="index.php?page=newpost"[/code]

How can I do ? and can you tell me how can header back to page header("Location: contact.php"); ???

[craygo]

Using php you have to submit the form and the server will check for errors according to your code. If you want just a simple check you can use javascript to check for blank field data. This will check before the form is submitted.

This guys has some good tutorials for javascript as well as some basic php stuff

http://www.tizag.com/javascriptT/javascriptform.php

Ray

[OLM3CA]

I think you dont exactly understand my question.My problem is not with the control of form values.My problem is when the form is correctly filled and submitted.Its ok but after you REFRESH the page ıt submits those values again and again with refreshing the page

[craygo]

O I see. Well the first thing would be to put a check in your insert query to see if the value is there already. e-mail would be a good thing to use

[code]<?php
if(isset($_POST['submit'])){  // checks to see if form has been submitted
$email = $_POST['email'];
$sql = "SELECT * FROM tablename WHERE email_field = '$email'";
  $res = mysql_query($res) or die (mysql_error());
    $num_rows = mysql_num_rows($res);
if($num_rows > 0){
echo "Name already exists in the database";
} else {
// do your insert query here
}
} else {
// Show your form below or whatever

}[/code]

Ray

[OLM3CA]

Thank you very much Its ok now.

[roopurt18]

There are a few ways you could go about handling this situation depending on the nature of the form.

My understanding is that there are limitations depending on the database fields and how they're defined, but usually requiring that some combination of data be unique within your table will solve this problem.