Browser go back button Confirm Form Resubmission

Question

I have a search form on my page.

<form action='' method='post'>
    <input type='text' name='search' />
    <input type='sumit' name='submit' value='submit'/>
</form>

When the user clicks the submit button on the form, it should run a mysql_query and create a link to the user page.

if(isset($_POST['search'])){
    $add = "city = {'$_POST['search']'}";
}

$res = mysql_query("SELECT * FROM user WHERE {$add}");
        while($rw=mysql_fetch_object($res)){
        echo "<a href=user.php?id={$rw->user_id}?>{$rw->name}</a>";
        }

When I click on the link user.php?id=3, it goes to the user page and everything is OK. But I have problem when I click the browser's back-button, on user.php page. Then i have problem back to previous page. Confirm Form Resubmission.

This is wide open to SQL injection, look into sanitizing your `$_POST['search']` before using it anywhere in a query! There's nothing stopping me from searching for `x'; truncate user; '` or something similar ;) to clear out your database. — Scott, Apr 23 '15 at 14:37
This is just an example. I am using mysql_real_escape_string() — BCM, Apr 23 '15 at 14:40
possible duplicate of [Allowing users to Refresh browser without the "Confirm Form Resubmission" pop-up](http://stackoverflow.com/questions/2414660/allowing-users-to-refresh-browser-without-the-confirm-form-resubmission-pop-up) — N.B., Apr 23 '15 at 15:20
Not duplicate. I cant refresh page after submiting because create extension on query. — BCM, Apr 23 '15 at 15:31

score -1 · Answer 1 · answered Apr 23 '15 at 14:39

-1

Correct the following:

<input type='sumit' name='submit' value='submit'/>

You are writing type='sumit' instead of type='submit'

answered Apr 23 '15 at 14:39

Ashwani Goyal

616
4
18

This is just an example. In my code all is typed correctly. Problem is back to previous page. Confirm Form Resubmission – BCM Apr 23 '15 at 14:42

Guilherme Ferreira · Answer 2 · 2015-04-23T15:02:59.347

-1

To not display the "Confirm Form Resubmission" alert, do you have to change your submission (method) to GET.

<form action='' method='GET'>
    <input type='text' name='search' />
    <input type='sumit' name='submit' value='submit'/>
</form>

...

if(isset($_GET['search'])){
    $res = mysql_query(sprintf("SELECT * FROM user WHERE city='%s'", mysql_real_escape_string($_GET['search']) ));
    while($rw=mysql_fetch_object($res)){
      echo "<a href=user.php?id={$rw->user_id}?>{$rw->name}</a>";
    }
}

edited Apr 23 '15 at 15:02

answered Apr 23 '15 at 14:48

Guilherme Ferreira

153
1
11

How can I prevent Confirm Form Resubmission? – BCM Apr 23 '15 at 14:55
Any browser when you send data using POST will ask if you want re-submit that information using back button, or refreshing the page. It`s standards!. So you have to change your approach using, instead of POST, GET! – Guilherme Ferreira Apr 23 '15 at 14:57

score -2 · Answer 3 · answered Apr 23 '15 at 14:45

-2

You should use get method instead of post. Post resubmissions must be confirmed by most browsers.

P.s.: you shouldn't pass the user input into your sql query directly to prevent the risk of sql injections.

answered Apr 23 '15 at 14:45

Florian

2,796
1
15
25

Browser go back button Confirm Form Resubmission

3 Answers3