[PHP] Prevent form resubmission on back button after redirect

[mlukac89]

Hi

 

I have a problem as title says with form resubmission. I think all know what i mean.

 

When i process form, i redirect to another page, and if i hit back button in browser it give me a page with "Confirm form resubmission", and if i press F5 i got pop-up window and it process form again even if i unset($_POST); data.

<?php

include '../config.php';

// process form
if (isset($_POST['submit'])) {

	$username = trim($_POST['username']);
	$password = trim($_POST['password']);
	$email 		= trim($_POST['email']);

  // check if username is in use
	if ($users->user_exists($username) === true) {
		$error = '<div class="alert alert-warning alert-dismissible fade-in">
                	<button type="button" class="close" data-dismiss="alert" aria-hidden="true">×</button>
                	Username in use, please choose another one.
              	  </div>';

  // check if email alrady registered
	} elseif ($users->email_exists($email) === true) {
		$error = '<div class="alert alert-warning alert-dismissible fade-in">
                	<button type="button" class="close" data-dismiss="alert" aria-hidden="true">×</button>
                	Email in use, please choose another one.
              	  </div>';
	} else {
		$error = "success";
    // unset post variables
    unset($_POST);
    header("refresh:5;url=users.php");
    exit();
	}
}

?>

[benanamen]

PRG is your answer. POST, REDIRECT, GET. Look it up.

[Jacques1]

Get rid of the refresh stuff and use a Location header instead. See Post/Redirect/Get.

 

Your name and e-mail checks are bogus, and they allow anybody to check if a particular e-mail address is registered at your site. This is a privacy violation.

[mlukac89]

This is a admin script, when adding a user to check if email exists, and why is bogus ? It's normal on register site too that you give a message to a user that email is in use.

 

Where is problem ?

 

This is in class Users

	public function email_exists($email)
	{
		$query = $this->db->prepare("SELECT email FROM users WHERE email = :email");
		$query->bindParam(':email', $email);
		$query->execute();

		if ($query->rowCount() > 0) {
			return true;
		} else {
			return false;
		}
	}

[Jacques1]

It is not normal to expose the e-mail address of your users. This is private data. Imagine a website for, say, drug addicts stating “Yup, joe.blow@example.com is one of our users.” Clearly that's a problem.

 

Even if you're dealing with a less sensitive topic, it's still your responsibility to protect the personal data of your users. This means not giving it away, neither directly nor indirectly. If you want to tell the user that the e-mail address is already registered, send them an e-mail. Then only the legitimate owner will get the message.

 

Both checks are also subject to time-of-check-to-time-of-use race conditons. If two users ask for the same unused name at the same time, they both get it, because the check happens before the insertion. You need to do the check and the insertion in a single atomic operation. MySQL can do that for you: Just make the columns UNIQUE, do the insertion, then catch all errors triggered by a violation of the UNIQUE constraint.

 

As pseudo code:

try:
  insert_data()
catch constraint violation:
  if duplicate name:
    print("Sorry, this name is already taken.")
  if duplicate email address:
    send_email("You are already registered with this address. Did you forget your password?")

[mlukac89]

So i need to redirect like

 

header("Location: success.php?msg=ok");

 

and in success.php page

<?php

if (isset($_GET['msg'])) {
	if ($_GET['msg'] == 'ok') {
		header("Location: users.php");
		unset($_POST);
		exit();
	}
}

?>