Jump to content

The Form Submits Again on Page Reload - How to Avoid That?

glassfish

By glassfish
in PHP Coding Help

 Share

Recommended Posts

glassfish Regular Member

glassfish

Posted
Posted (edited)

The Script:

<h1>Do Add a Message to the MySQL Database</h1>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST">
    <textarea name="message"></textarea>
    <br/>
    <input type="submit" name="submit"/>
</form>

<?php
// The Connection to the Database
// Taken Out

?>

<?php
// To insert the text data into the MySQL database.
if(isset($_POST['submit'])){

$tqs = "INSERT INTO messages (`message`) VALUES ('{$_POST['message']}')";

$tqr = mysqli_query($dbc, $tqs) or die(mysqli_error($dbc));

}

?>

<?php
// To select the text data from the MySQL database.
$tqs = "SELECT * FROM messages";
$tqr = mysqli_query($dbc, $tqs);


// To print out the text data inside of table on the page.
echo "<h1>This Is Where the Messages Gets Printed on Screen</h1>";
echo "<table><tr><td>ID</td><td>The Message</td></tr>";

while($row = mysqli_fetch_assoc($tqr)){

    echo "<tr><td>" . $row['id'] . "</td><td>" . $row['message'] . "</td></tr>";

}

echo "</table>";

?>

1. When I have added text with the form to the MySQL database...

2. ... and I have clicked on "page reload" in Firefox to reload the page...

3. ... then the before submitted text gets submitted again to the MySQL database.

 

So basically, add text with the form to the MySQL database, reload the page in Firefox, and the before added text will get submitted to the MySQL database again.

 

My Question Is:

What is the proper way to avoid this?

Edited by glassfish
Link to comment
Share on other sites
ginerjm Prolific Member

ginerjm

Posted
Posted

Be sure that the data on the screen is wiped off upon completion?  Or as was suggested on another forum have a random token buried in your form and save it to a session var when you first save the data.  If that token then matches the session var you have already posted this data.

Link to comment
Share on other sites
glassfish Regular Member

glassfish

Posted
  • Author
Posted

Be sure that the data on the screen is wiped off upon completion?

The data is already wiped off of the textarea. I think it gets added from the cache of the web browser.(?)

 

 

  Or as was suggested on another forum have a random token buried in your form and save it to a session var when you first save the data.  If that token then matches the session var you have already posted this data.

Can you provide a link, please?

 

I thought more people come across this issue and I was looking for a proper way to have this issue taken care of.

Link to comment
Share on other sites
glassfish Regular Member

glassfish

Posted
  • Author
Posted (edited)

Can you check this script please. It looks like the token id's do not match with this:

 

I tried to echo it out and I am getting two different token ID's. Why?

Example:

The token ID does not match.
54340807202db
543407b9cffd4

The Script:

<?php

session_start();

$token_id = uniqid();

$_SESSION['token_id'] = $token_id;





?>


<h1>Do Add a Message to the MySQL Database</h1>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST">
    <textarea name="message"></textarea>
    <input type="hidden" name="token_id" value="<?php echo $token_id; ?>"/>
    <br/>
    <input type="submit" name="submit"/>
</form>

<?php
// The Connection to the Database
// Taken Out

?>

<?php
// To select the text data from the MySQL database.
$tqs = "SELECT * FROM messages";
$tqr = mysqli_query($dbc, $tqs);

// To print out the text data inside of table on the page.
echo "<h1>This Is Where the Messages Gets Printed on Screen</h1>";
echo "<table><tr><td>ID</td><td>The Message</td></tr>";

while($row = mysqli_fetch_assoc($tqr)){

    echo "<tr><td>" . $row['id'] . "</td><td>" . $row['message'] . "</td></tr>";

}

echo "</table>";

?>

<?php

// To insert the text data into the MySQL database.
if(isset($_POST['submit']) && isset($_POST['token_id']) && isset($_SESSION['token_id'])){

        if($_POST['token_id'] == $_SESSION['token_id']){

            $tqs = "INSERT INTO messages (`message`) VALUES ('{$_POST['message']}')";

            $tqr = mysqli_query($dbc, $tqs) or die(mysqli_error($dbc));

        }else {
            echo "The token ID does not match.";
        }
}else{
        echo "Is not set.";

}

?>
Edited by glassfish
Link to comment
Share on other sites
glassfish Regular Member

glassfish

Posted
  • Author
Posted

Or as was suggested on another forum have a random token buried in your form and save it to a session var when you first save the data If that token then matches the session var you have already posted this data.

How to accomplish the part I have put in bold? My script is one post above this.

Link to comment
Share on other sites
mac_gyver Prolific Member

mac_gyver

Posted
Posted

your code is currently generating a new unique id that replaces the previous one before you run the form processing code, so of course the values will never match.

 

your form processing code needs to be positioned in your .php file before any code that displays the data on the page and before you display the form.

 

there are four reasons for this -

 

1) so that any new data that was just inserted into the database table will appear when you display the data from the database table on the page (assuming you are not redirecting after processing the form data.)

 

2) so that any form validation errors can be displayed when you re-display the form.

 

3) so that the unique id that was generated right before the form was output  will still be in the session variable when the form processing code runs.

 

4) so that the second thing mentioned in that linked to thread, of redirecting after you have successfully processed the form data, can occur, since you cannot output anything to the browser prior to using a header() redirect.

Link to comment
Share on other sites
mac_gyver Prolific Member

mac_gyver

Posted
Posted

i'm not sure if this is an English language problem and you don't understand the meaning of the words or if you don't understand your code.

 

the form processing code is the code that receives the form data and does something with it. in your case, it is inserting a row into a database table. your form processing code starts with the comment - 

// To insert the text data into the MySQL database.
Link to comment
Share on other sites
Jacques1 Prolific Member

Jacques1

Posted
Posted

Just do a redirect, for heaven's sake.

 

This “token” stuff is nonsense, at least the implementation that has been suggested. When will developers finally realize that people use multiple tabs in their browser? If I submit the form in two different tabs and then reload the first tab, I again end up with a duplicate submission, because the application has forgotten the first token and lets me use it again.

 

If at all, you need a nonce (a number used only once). But this is much more complex than storing some uniqid() string in the session.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.