2

So, I'm working on a commenting script. It works fine when you post a comment, but I found that when you refresh the page, even though the text field is empty, it still posts the same comment. I understand that this is because I've already sent the variable to $_POST, and it's simply inserting that value in to the database, but how do I avoid this issue? Thanks in advance, and here is my code: (Assume that $username and $image are already set)

if (isset($_POST['text']) && !empty($_POST['text']))
        {
            $text = $_POST['text'];
            $timeStamp = time();

            mysql_query("INSERT INTO comments VALUES ('$image','$username','$text','$timeStamp')");
        }

And the HTML:

        <form method = "post" action = "/view.php?image=$image" />

            <input type = "text" name = "text" maxlength = "100" />
            <input type = "submit" value = "Add Comment" />

        </form>

3 Answers3

2

The easiest way to avoid that, is redirecting after a successful database operation:

...
mysql_query("INSERT INTO comments VALUES ('$image','$username','$text','$timeStamp')");
// error handling
header('Location: /some/where');

Apart from that, you really need to switch to PDO / prepared statements to avoid sql injection problems.

jeroen
  • 91,079
  • 21
  • 114
  • 132
  • As in sanitizing my values? I have that covered, I just didn't want to add it in to the question. –  May 25 '12 at 01:00
  • @Jack Stone Yes, but the `mysql_*` are being deprecated as well, so switching is a good idea for that as well. – jeroen May 25 '12 at 01:07
  • Another thing about your code, I just think that it would be a bad user experience to redirect them every single time a comment is posted. Is there any other way of doing this? –  May 25 '12 at 01:09
  • @Jack Stone The user doesn't have to notice, it can be to the same page but the difference is that it will be a `GET` request so that a reload does nothing except reloading the page and the back-button still takes them to the previous page (the form). – jeroen May 25 '12 at 01:11
  • So it would be a parallel commenting page, just without the form? –  May 25 '12 at 01:13
  • @Jack Stone Yes, or you do something simple as `header('Location: /the/same/page?no_form');` and use that variable to display or not display your form. – jeroen May 25 '12 at 01:14
  • Except you would have to go back to the other page to comment. –  May 25 '12 at 01:15
  • @Jack Stone You will have to decide whether you want to display the form or not after a successful post. And the next step would be to add ajax to avoid the page refresh altogether... – jeroen May 25 '12 at 01:17
  • I would like to display the page immediately after post, I feel like that would be the best experience for users rather than having to go back to another page after they posted –  May 25 '12 at 01:18
  • @Jack Stone The user won't notice the redirect so you can use it to display whatever way you want. – jeroen May 25 '12 at 01:20
  • But what I'm saying is, you said to redirect to a parallel page, just without the comment box, but wouldn't that just mean that if the user wanted to recomment, they would have to go back to the other page? –  May 25 '12 at 01:21
  • @Jack Stone No, I said it is up to you to show or not to show the form after a successful post, so you can redirect to the same page, the same page without a form, another page, etc... – jeroen May 25 '12 at 01:22
1

The easy way:

After saving to database, reload your page:

header('Location: comment-form.php');

This will make the browser "forget" the form submit.

The correct way:

Generate a nonce and add it as hidden input in your form. When the form submits, make sure $_POST['nonce'] matches with $nonce in your script.

How to create and use nonces

Community
  • 1
  • 1
flowfree
  • 16,356
  • 12
  • 52
  • 76
1

Are you posting to the same page that you are viewing the comments? If so you could probably post to /a_page_where_i_submit_things.php then redirect back to the page where the comments are. I believe that will work.

dowilcox
  • 23
  • 4
  • But if I'm trying to post it to the same page, why would I want to do that? –  May 25 '12 at 00:59