Form resubmission issue PHP SQL

Question

If I insert a new record into the database via PHP and then click the submit button and then each time I refresh the page it inserts the recently added record into the database. How do I stop this from happening? I don't want to redirect to another form after the submit button too. The weird thing is, if I click the submit button twice and then refresh the form it doesn't insert duplicates into the database. Why is this? Please help :/ thanks

Here's the code:

<div class="insertDiv">
<form method="POST" action="contracts.php">
<?php
if(empty($_POST['ContractDate']) && empty($_POST['ComputerId2']) && empty($_POST['CustomerId'])  && empty($_POST['ContractLevel']))
{
}
else
{
include("dbinfo.inc.php");
$comm=@mysql_connect(localhost,$username,$password);
$rs=@mysql_select_db($database) or die( "Unable to select database"); 

$contractDate=$_POST['ContractDate'];
$computerID=$_POST['ComputerId'];
$customerID=$_POST['CustomerId'];
$contractLevel=$_POST['ContractLevel'];

$sql="INSERT INTO contract VALUES ('','$contractDate','$computerID', '$customerID', '$contractLevel')";
$result=mysql_query($sql)or die("Insert Error: ".mysql_error());
mysql_close();
}
?>

<div class = "myButton">
Insert
</div>

<p></p>
Enter contract start date:&nbsp
<input type="date" name="ContractDate" size=30 class="input"><br><br>
Enter computerID:&nbsp
<input type="text" name="ComputerId" size=30 class="input"><br><br>
Enter customerID:&nbsp
<input type="text" name="CustomerId" size=30 class="input"><br><br>
Enter contract level:&nbsp
<input type="text" name="ContractLevel" size=30 class="input"><br><br>
<input type="reset" value="Reset" class="button">&nbsp&nbsp&nbsp&nbsp
<input type="submit" value="Submit" class="button">
</form>
</div>

Your code is vulnerable to SQL injections. You should read on [how to prevent them in PHP](http://stackoverflow.com/q/60174/53114). — Gumbo, Mar 22 '14 at 14:12

score 0 · Answer 1 · answered Mar 22 '14 at 14:18

check with some value from form which is already exists in table if no then insert the data into the table

or

1.generate a random string and store it in session,

2.then output it to your form as a hidden value,

3.check the submitted and store variable, if matches process your request,

4.go to 1.

Emilio · Answer 2 · 2014-03-22T14:40:06.777

Just make sure the form has only been submitted once, by using sessions. This should work (I haven't been able to test it)

<?php
// you should start the session before sending any output to the browser
session_start();
if($_SESSION['prevent'] && $_SESSION['prevent'] == $_POST['prevent'])$valid=true;
$_SESSION['prevent']=sha1(mt_rand(0,9999999));

?>
<div class="insertDiv">
<form method="POST" action="contracts.php">
<?php
if(empty($_POST['ContractDate']) && empty($_POST['ComputerId2']) && empty($_POST['CustomerId'])  && empty($_POST['ContractLevel']))
{
}
else
{

if($valid){

include("dbinfo.inc.php");
$comm=@mysql_connect(localhost,$username,$password);
$rs=@mysql_select_db($database) or die( "Unable to select database"); 

$contractDate=$_POST['ContractDate'];
$computerID=$_POST['ComputerId'];
$customerID=$_POST['CustomerId'];
$contractLevel=$_POST['ContractLevel'];

$sql="INSERT INTO contract VALUES ('','$contractDate','$computerID', '$customerID', '$contractLevel')";
$result=mysql_query($sql)or die("Insert Error: ".mysql_error());
mysql_close();
}
}
?>

<div class = "myButton">
Insert
</div>

<p></p>
Enter contract start date:&nbsp
<input type="date" name="ContractDate" size=30 class="input"><br><br>
Enter computerID:&nbsp
<input type="text" name="ComputerId" size=30 class="input"><br><br>
Enter customerID:&nbsp
<input type="text" name="CustomerId" size=30 class="input"><br><br>
Enter contract level:&nbsp
<input type="text" name="ContractLevel" size=30 class="input"><br><br>
<input type="reset" value="Reset" class="button">&nbsp&nbsp&nbsp&nbsp
<input type="hidden" value="<?php echo $_SESSION['prevent']; ?>">
<input type="submit" value="Submit" class="button">
</form>
</div>

Thanks for you comment Emillio.. I don't think I'll be able to use session_start() as I have other php statements in the form :/ do you know a way round this? — Lloyd, Mar 22 '14 at 14:33
Well, you can have a look at ob_start() and ob_end_flush() - you can use them so no content is sent to the browser until you finish rendering the page (so you can set the session). But again, you'd need to add at least one line of code to existing files. — Emilio, Mar 22 '14 at 14:37
Also, you can set cookies via javascript, and read them later with PHP. Since your only requirement is preventing accidental submits, this should work. — Emilio, Mar 22 '14 at 14:41

score -1 · Answer 3 · answered Mar 22 '14 at 14:14

-1

Have a read of this article and it'll explain how to redirect so refreshing doesn't resubmit the form.

http://en.wikipedia.org/wiki/Post/Redirect/Get

answered Mar 22 '14 at 14:14

sark9012

5,485
18
61
99

1

-1 as there's only a link in the answer (please add an explanation/example. A reference should be _supportive_ info, not the only info). – AD7six Mar 22 '14 at 14:20
Thanks for you comments.. I'm not quite sure how to implement the post/redirect/Get pattern.. Does it just mean when the user clicks submit it redirects to another form? – Lloyd Mar 22 '14 at 14:23
It just means redirect to the current url and exit _after_ inserting in the db. – AD7six Mar 22 '14 at 18:37

Form resubmission issue PHP SQL

3 Answers3