0

i have a <?php include 'stats.php'; ?> on every page on my site. in the stats.php file there is a SQL Insert query that inserts data into a table in my database.

for some reason when visiting just one page it inserts 4 rows into the database - there is only one SQL Command.

why would it be doing this... below is ALL the code on the stats.php file

<?php
   $activity_history_sql=
      "INSERT into user_activity_history (user_seq, user, timestamp, ip_address, user_request_uri, 
              user_script_filename, user_script_uri, user_script_url, user_script_name, user_php_self) 
       values ('".$_SESSION["domain.co.uk"]["sequence"]."', 
             '".$_SESSION["domain.co.uk"]["forename"].' '.$_SESSION["domain.co.uk"]["surname"]."', 
             '".date("Y-m-d H:i:s")."', 
             '".$_SERVER["REMOTE_ADDR"]."', 
             '".$_SERVER["REQUEST_URI"]."', 
             '".$_SERVER["SCRIPT_FILENAME"]."', 
             '".$_SERVER["SCRIPT_URI"]."', 
             '".$_SERVER["SCRIPT_URL"]."', 
             '".$_SERVER["SCRIPT_NAME"]."', 
             '".$_SERVER["PHP_SELF"]."') ";
    $activity_history_rs=mysql_query($activity_history_sql,$conn) or die(mysql_error());
?>
charlie
  • 1,356
  • 7
  • 38
  • 76
  • 1
    Perhaps you're including files that include `stats.php`. Use `require_once` instead of `include`. –  Aug 18 '13 at 16:05
  • 1
    Also, your code is vulnerable to SQL injection. See [_How can I prevent SQL injection in PHP?_](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). Not to mention that the `mysql_*` set of functions is deprecated. –  Aug 18 '13 at 16:06
  • Warning: mysql extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the [MySQLi](http://www.php.net/manual/en/book.mysqli.php) or [PDO_MySQL](http://www.php.net/manual/en/ref.pdo-mysql.php) extension should be used.Please don't use `mysql` to develop new code. – bansi Aug 18 '13 at 16:08
  • Never post code and URL at the same time, especially not if it involves SQL code – Iesus Sonesson Aug 18 '13 at 16:21
  • im not sure i understand what you are talking about @IesusSonesson –  Aug 18 '13 at 16:28
  • You have an URL address in your session names, in order to make an attack with your provided code less likely you should not post an URL together with the code – Iesus Sonesson Aug 18 '13 at 18:12

3 Answers3

0

Please use require_once() when including stats.php.

The require_once statement is identical to require except PHP will check if the file has already been included, and if so, not include (require) it again.

Zorayr
  • 23,770
  • 8
  • 136
  • 129
  • just changed all the pages to require_once but still the same issue –  Aug 18 '13 at 16:11
  • Somewhere in your code you are either (1) including the stats file more than once, (2) or refreshing your page. – Zorayr Aug 18 '13 at 16:14
0

Try different method for include like require_once('stat.php');

... that might solve your issue...

This script doesnt seem faulty.

Ankit Pise
  • 1,243
  • 11
  • 30
  • just changed all the pages to require_once but still the same issue –  Aug 18 '13 at 16:10
  • is there no way to do LIMIT 1 like you can in a SELECT Query –  Aug 18 '13 at 16:14
  • 1
    you posted full stat.php code but i m talking about the page in which you are including stat.php. that page might have looping function and page might reload several times before display and each time stat.php gets included and new record generate... – Ankit Pise Aug 18 '13 at 16:14
  • no this is not result generating script but you can use value check query which will check exact duplicate of record and skip if exist – Ankit Pise Aug 18 '13 at 16:16
0

ok - it seems to be working now. it may be that my cache hadn't refreshed properly. maybe it was still using the include rather than require_once