mlukac89 Posted April 20, 2017 Share Posted April 20, 2017 Hi I have a problem as title says with form resubmission. I think all know what i mean. When i process form, i redirect to another page, and if i hit back button in browser it give me a page with "Confirm form resubmission", and if i press F5 i got pop-up window and it process form again even if i unset($_POST); data. <?php include '../config.php'; // process form if (isset($_POST['submit'])) { $username = trim($_POST['username']); $password = trim($_POST['password']); $email = trim($_POST['email']); // check if username is in use if ($users->user_exists($username) === true) { $error = '<div class="alert alert-warning alert-dismissible fade-in"> <button type="button" class="close" data-dismiss="alert" aria-hidden="true">×</button> Username in use, please choose another one. </div>'; // check if email alrady registered } elseif ($users->email_exists($email) === true) { $error = '<div class="alert alert-warning alert-dismissible fade-in"> <button type="button" class="close" data-dismiss="alert" aria-hidden="true">×</button> Email in use, please choose another one. </div>'; } else { $error = "success"; // unset post variables unset($_POST); header("refresh:5;url=users.php"); exit(); } } ?> Quote Link to comment https://forums.phpfreaks.com/topic/303765-php-prevent-form-resubmission-on-back-button-after-redirect/ Share on other sites More sharing options...
benanamen Posted April 20, 2017 Share Posted April 20, 2017 PRG is your answer. POST, REDIRECT, GET. Look it up. Quote Link to comment https://forums.phpfreaks.com/topic/303765-php-prevent-form-resubmission-on-back-button-after-redirect/#findComment-1545702 Share on other sites More sharing options...
Jacques1 Posted April 20, 2017 Share Posted April 20, 2017 Get rid of the refresh stuff and use a Location header instead. See Post/Redirect/Get. Your name and e-mail checks are bogus, and they allow anybody to check if a particular e-mail address is registered at your site. This is a privacy violation. Quote Link to comment https://forums.phpfreaks.com/topic/303765-php-prevent-form-resubmission-on-back-button-after-redirect/#findComment-1545703 Share on other sites More sharing options...
mlukac89 Posted April 20, 2017 Author Share Posted April 20, 2017 This is a admin script, when adding a user to check if email exists, and why is bogus ? It's normal on register site too that you give a message to a user that email is in use. Where is problem ? This is in class Users public function email_exists($email) { $query = $this->db->prepare("SELECT email FROM users WHERE email = :email"); $query->bindParam(':email', $email); $query->execute(); if ($query->rowCount() > 0) { return true; } else { return false; } } Quote Link to comment https://forums.phpfreaks.com/topic/303765-php-prevent-form-resubmission-on-back-button-after-redirect/#findComment-1545704 Share on other sites More sharing options...
Jacques1 Posted April 20, 2017 Share Posted April 20, 2017 It is not normal to expose the e-mail address of your users. This is private data. Imagine a website for, say, drug addicts stating “Yup, joe.blow@example.com is one of our users.” Clearly that's a problem. Even if you're dealing with a less sensitive topic, it's still your responsibility to protect the personal data of your users. This means not giving it away, neither directly nor indirectly. If you want to tell the user that the e-mail address is already registered, send them an e-mail. Then only the legitimate owner will get the message. Both checks are also subject to time-of-check-to-time-of-use race conditons. If two users ask for the same unused name at the same time, they both get it, because the check happens before the insertion. You need to do the check and the insertion in a single atomic operation. MySQL can do that for you: Just make the columns UNIQUE, do the insertion, then catch all errors triggered by a violation of the UNIQUE constraint. As pseudo code: try: insert_data() catch constraint violation: if duplicate name: print("Sorry, this name is already taken.") if duplicate email address: send_email("You are already registered with this address. Did you forget your password?") 1 Quote Link to comment https://forums.phpfreaks.com/topic/303765-php-prevent-form-resubmission-on-back-button-after-redirect/#findComment-1545708 Share on other sites More sharing options...
mlukac89 Posted April 20, 2017 Author Share Posted April 20, 2017 So i need to redirect like header("Location: success.php?msg=ok"); and in success.php page <?php if (isset($_GET['msg'])) { if ($_GET['msg'] == 'ok') { header("Location: users.php"); unset($_POST); exit(); } } ?> Quote Link to comment https://forums.phpfreaks.com/topic/303765-php-prevent-form-resubmission-on-back-button-after-redirect/#findComment-1545709 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.