1

I created a dropdown list with 6 options.

After select an option and clicking the submit button, the selected value should be inserted into the mysql database. This is code:

<form name="name" method="get" action="<?php echo $_SERVER['PHP_SELF']; ?>">

<select id="broj" name="name">                      
  <option value="0">--Select--</option>
  <option value="2">Option 1</option>
  <option value="3">Option 2</option>
  <option value="4">Option 3</option>
  <option value="5">Option 4</option>
  <option value="6">Option 5</option>
  <option value="7">Option 6</option>
</select>
<input type="submit" name="submit" value="Submit" />
</form>

<?php
if($_GET){
   $result= $_GET['name'];
  }
?>
// 
After this follows the code that inserts the $result into the mysql database

I have two problems with this code:

  1. As soon as the page is opened (before clicking the button) , the value 0 is inserted into the database (value of "Select" option)

  2. After refreshing page, the selected value is re-insert into the database

How to make the selected option inserted into the database only when the submit button is clicked

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Midhat
  • 45
  • 10

2 Answers2

2

I think you should change your form method to POST instead of GET. And check for post before insert into database

    if ($_SERVER['REQUEST_METHOD'] == 'POST')
    {
        // Code insert into database here
    }

In your code I see 

    action="<?php echo $_SERVER['PHP_SELF']; ?>"

$_SERVER['PHP_SELF'] with form method GET will contain your submit parameter and that may cause some strange problems. I think there may be no problem if you let action="", your form still submit data to current page

Bùi Đức Khánh
  • 3,975
  • 6
  • 27
  • 43
  • `$_SERVER['PHP_SELF']` does not pass through the GET values; you might be thinking of `$_SERVER['REQUEST_URI']` – RToyo Nov 15 '17 at 16:21
0

First visit to the page inserts a 0-value row:

The relevant code for this is excluded from your question, but you should always check that your $_GET (or $_POST, or $_REQUEST, or $_SESSION, etc) array has at least one value (eg if (count($_GET))) before inserting. However, I would suggest that you use the POST method rather than GET. It's one tiny layer of obfuscation for someone trying to force data into your DB, and it makes it a lot harder for accidents/mistyped URLs to insert random data.

Resubmitted data:

This has a few ways to work around it. Most people simply set the POST method for their forms, rather than GET (there are some standards that say you should use POST, but I won't get into that). If the user attempts to refresh a page that a form POSTed to, most modern browsers will pop up a confirmation dialogue box before resubmitting the form data.

Another common technique is to redirect from the form's target page once the data has been inserted into the database. That way the user can't refresh the page. In other words, you would have a blank form response page that simply does the DB insert and then redirects to a page with a "thank you for submitting the form" text, or whatever you want to display after the form is submitted. The user's browser never sits on the URL/page that does the actual DB insert.

You could also do a little validation before doing the insert. If you don't want to query your DB before inserting (or apply a DB-level constraint, like a unique index on the table), you could have each form submit a one-use token with each request. If a form gets submitted with that token a second time, then you know it was a resubmit. A simple example of this might be to add a captcha to your form.

RToyo
  • 2,877
  • 1
  • 15
  • 22