Jump to content

Form Double Submission

HenryC

By HenryC
in PHP Coding Help

 Share

Recommended Posts

HenryC Newbie

HenryC

Posted
Posted

Hello there i am making a sub4sub site for a small community of people and have a sub4sub page where users can sub to people, once they click the sub button on there name a new record gets added to the subscriber database and that member whom he subscribed to goes off the list but recently i have noticed that there has been alot of double submissions, like if i check my database

 

fred has subscribed to paul

 

there could be 20 of that exact row, how is that ? when the button goes away soon as they click it the first time.

Link to comment
Share on other sites
HenryC Newbie

HenryC

Posted
  • Author
Posted

Forgot to add in some code

 

Show the members who can be subscribed

 

<?php
$query = "SELECT * FROM users WHERE subcreds > 0 AND username NOT IN (SELECT subscriber_username FROM subscribers WHERE my_id = '$id') ORDER BY RAND() LIMIT 6";
$sql = mysql_query($query) or trigger_error($query . ' has an error:<br />' . mysql_error());

?>
<div class="ssubs">

<?php
while($row = mysql_fetch_assoc($sql)){
?>
<center>
<div class="subs">
<img src="sub.jpeg" height="64"><br>
<?php echo mysql_real_escape_string($row['subchannel']); ?><br>
<form action="sub4sub.php?id=<?php echo mysql_real_escape_string($row['id']); ?>" method="POST">
<input type="submit" name="sub" value="Sub" style="background: white; border: none;">
</form>
</div>
</center>
<?php
}

 

 

After hit submit

 

<?php
if (isset($_POST['sub'])){

include("connect.php");

$id = mysql_real_escape_string($_GET['id']);
$sql = mysql_query("SELECT * FROM users WHERE id= $id");
$row = mysql_fetch_assoc($sql);
$usersub = $row['username'];
$ytkb = mysql_real_escape_string($row['subchannel']);
$subscriberusername = mysql_real_escape_string($row['username']);

// youtube stuff 

try {
$yt->insertEntry($newSubscription, $subscriptionsFeedUrl);
$myid = $_SESSION['id'];
$time = date("Y-m-d H:i:s");

$sqlt = "SELECT * FROM subscribers WHERE my_username = '$username' AND subscriber_username = '$usersub'";

if (mysql_num_rows(mysql_query($sqlt)) == 0){

$sqlkb = mysql_query("INSERT INTO subscribers VALUES('','$myid','$user','$id','$subscriberusername','$time')");
$sqlq = mysql_query("UPDATE users SET subcreds=subcreds+1 WHERE username = '$user'");
$sqlk = mysql_query("UPDATE users SET subcreds=subcreds-1 WHERE id = $id");
header("Location: sub4sub.php");
}else{
header("Location: sub4sub.php");
}
}
catch (Zend_Gdata_App_HttpException $e)
{

$sqlt = "SELECT * FROM subscribers WHERE my_username = '$username' AND subscriber_username = '$usersub'";

if (mysql_num_rows(mysql_query($sqlt)) == 0){

$time = date("H:i:s");
    $sql = mysql_query("INSERT INTO subscribers VALUES('','$myid','$user','$id','$subscriberusername','$time')");
header("Location: sub4sub.php");
}else{
header("Location: sub4sub.php");
}
}

 

I even have a num rows check to make sure there can only be one row, so i dont know whats the problem?

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted
I even have a num rows check

 

Yes, but you have nested the mysql_query() statement inside of it so you have no way to check if the query executed without any errors and you will get the same result for mysql_num_rows for a failed query and for a query that simply matched zero rows.

 

A) You must always check if a query worked or not before you attempt to access any of the information from that query. There are very few cases where you should nest function calls like that and certainly not when an inner function call can fail due to an error.

 

B) In the code you posted $username is not being set to any value and the SELECT query won't match anything. Did you intend to match the $myid value against an id column in the table? You are also using the non-escaped $usersub username in that same query, which will produce a query error if the username happens to contain a sql special character.

 

You have variables in the code you posted that are not being assigned any value, that are being assigned a value but you are not being used, and exist both as an escaped and a non-escaped version. You need to go through your logic and variables and make sure your code is dong what you expect.

Link to comment
Share on other sites
HenryC Newbie

HenryC

Posted
  • Author
Posted

I have all my variables assigned to a value i just didn't add that to the code here, i forggot to escape the new peice of code i added. the problem is when there is not a row the query will fail and give me a num rows error which is why i nested it around the mysql_query, how can i test it without the nums having a variable? and when the num does have a variable it will give out an error if no records are found

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.