Jump to content

The Form Submits Again on Page Reload - How to Avoid That?


Recommended Posts

The Script:

<h1>Do Add a Message to the MySQL Database</h1>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST">
    <textarea name="message"></textarea>
    <br/>
    <input type="submit" name="submit"/>
</form>

<?php
// The Connection to the Database
// Taken Out

?>

<?php
// To insert the text data into the MySQL database.
if(isset($_POST['submit'])){

$tqs = "INSERT INTO messages (`message`) VALUES ('{$_POST['message']}')";

$tqr = mysqli_query($dbc, $tqs) or die(mysqli_error($dbc));

}

?>

<?php
// To select the text data from the MySQL database.
$tqs = "SELECT * FROM messages";
$tqr = mysqli_query($dbc, $tqs);


// To print out the text data inside of table on the page.
echo "<h1>This Is Where the Messages Gets Printed on Screen</h1>";
echo "<table><tr><td>ID</td><td>The Message</td></tr>";

while($row = mysqli_fetch_assoc($tqr)){

    echo "<tr><td>" . $row['id'] . "</td><td>" . $row['message'] . "</td></tr>";

}

echo "</table>";

?>

1. When I have added text with the form to the MySQL database...

2. ... and I have clicked on "page reload" in Firefox to reload the page...

3. ... then the before submitted text gets submitted again to the MySQL database.

 

So basically, add text with the form to the MySQL database, reload the page in Firefox, and the before added text will get submitted to the MySQL database again.

 

My Question Is:

What is the proper way to avoid this?

Edited by glassfish

Be sure that the data on the screen is wiped off upon completion?  Or as was suggested on another forum have a random token buried in your form and save it to a session var when you first save the data.  If that token then matches the session var you have already posted this data.

Be sure that the data on the screen is wiped off upon completion?

The data is already wiped off of the textarea. I think it gets added from the cache of the web browser.(?)

 

 

  Or as was suggested on another forum have a random token buried in your form and save it to a session var when you first save the data.  If that token then matches the session var you have already posted this data.

Can you provide a link, please?

 

I thought more people come across this issue and I was looking for a proper way to have this issue taken care of.

Can you check this script please. It looks like the token id's do not match with this:

 

I tried to echo it out and I am getting two different token ID's. Why?

Example:

The token ID does not match.
54340807202db
543407b9cffd4

The Script:

<?php

session_start();

$token_id = uniqid();

$_SESSION['token_id'] = $token_id;





?>


<h1>Do Add a Message to the MySQL Database</h1>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST">
    <textarea name="message"></textarea>
    <input type="hidden" name="token_id" value="<?php echo $token_id; ?>"/>
    <br/>
    <input type="submit" name="submit"/>
</form>

<?php
// The Connection to the Database
// Taken Out

?>

<?php
// To select the text data from the MySQL database.
$tqs = "SELECT * FROM messages";
$tqr = mysqli_query($dbc, $tqs);

// To print out the text data inside of table on the page.
echo "<h1>This Is Where the Messages Gets Printed on Screen</h1>";
echo "<table><tr><td>ID</td><td>The Message</td></tr>";

while($row = mysqli_fetch_assoc($tqr)){

    echo "<tr><td>" . $row['id'] . "</td><td>" . $row['message'] . "</td></tr>";

}

echo "</table>";

?>

<?php

// To insert the text data into the MySQL database.
if(isset($_POST['submit']) && isset($_POST['token_id']) && isset($_SESSION['token_id'])){

        if($_POST['token_id'] == $_SESSION['token_id']){

            $tqs = "INSERT INTO messages (`message`) VALUES ('{$_POST['message']}')";

            $tqr = mysqli_query($dbc, $tqs) or die(mysqli_error($dbc));

        }else {
            echo "The token ID does not match.";
        }
}else{
        echo "Is not set.";

}

?>

Edited by glassfish

Or as was suggested on another forum have a random token buried in your form and save it to a session var when you first save the data If that token then matches the session var you have already posted this data.

How to accomplish the part I have put in bold? My script is one post above this.

your code is currently generating a new unique id that replaces the previous one before you run the form processing code, so of course the values will never match.

 

your form processing code needs to be positioned in your .php file before any code that displays the data on the page and before you display the form.

 

there are four reasons for this -

 

1) so that any new data that was just inserted into the database table will appear when you display the data from the database table on the page (assuming you are not redirecting after processing the form data.)

 

2) so that any form validation errors can be displayed when you re-display the form.

 

3) so that the unique id that was generated right before the form was output  will still be in the session variable when the form processing code runs.

 

4) so that the second thing mentioned in that linked to thread, of redirecting after you have successfully processed the form data, can occur, since you cannot output anything to the browser prior to using a header() redirect.

 

your form processing code needs to be positioned in your .php file before any code that displays the data on the page and before you display the form.

Sorry if I am not quite understanding this part.

Which is the "form processing code"?

i'm not sure if this is an English language problem and you don't understand the meaning of the words or if you don't understand your code.

 

the form processing code is the code that receives the form data and does something with it. in your case, it is inserting a row into a database table. your form processing code starts with the comment - 

// To insert the text data into the MySQL database.

Just do a redirect, for heaven's sake.

 

This “token” stuff is nonsense, at least the implementation that has been suggested. When will developers finally realize that people use multiple tabs in their browser? If I submit the form in two different tabs and then reload the first tab, I again end up with a duplicate submission, because the application has forgotten the first token and lets me use it again.

 

If at all, you need a nonce (a number used only once). But this is much more complex than storing some uniqid() string in the session.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.