Two records insert into Mysql Database other than one

Question

I have a Question. Instead of having the record insert rather once, It inserts twice into the DB table. I am using a Javascript function to send the Data to a PHP , Now it saves the data to a Database, No doubt , but rather than have one Record, It saves twice. And i do not have a reason as to why this is so.

My javascript used to save data looks like this :

function submitFormData(){
    var xhr = new XMLHttpRequest();
    var url = 'submit_request.php';
    var fullname = document.getElementById("fullname").value;
    var address = document.getElementById("address").value;
    var address2 = document.getElementById("address2").value;
    var city = document.getElementById("city").value;
    var state = document.getElementById("state").value;
    var telephone = document.getElementById("telephone").value;
    var email = document.getElementById("email").value;
    var vehicle_type = document.getElementById("vehicle_type").value;
    var vehicleNo = document.getElementById("vehicleNo").value;
    var visit_date = document.getElementById("visit_date").value;
    var visit_purpose = document.getElementById("visit_purpose").value;
    var whom_tosee = document.getElementById("whom_tosee").value;
    var login_time = document.getElementById("login_time").value;

    var params = 'fullname='+fullname+'&address='+address+'&address2='+address2+'&city='+city+'&state='+state+'&telephone='+telephone+'&email='+email+'&vehicle_type='+vehicle_type+'&vehicleNo='+vehicleNo+'&visit_date='+visit_date+'&visit_date='+visit_date+'&visit_purpose='+visit_purpose+'&whom_tosee='+whom_tosee+'&login_time='+login_time+'';

    var txt = 'Please confirm the following Information\n FullName : '+fullname+'\n Address : '+address+'\n Address2 : '+address2+'\n City: '+city+'\n State: '+state+'\n Telephone: '+telephone+'\n Email: '+email+'\n Vehicle Type: '+vehicle_type+'\n Vehicle #: '+vehicleNo+'\n Visit Date: '+visit_date+'\n Visit Purpose : '+visit_purpose+'\n Who To see : '+whom_tosee+'\n Login Time : '+login_time+'';
    var response = confirm(txt);

    if(response == true){
        xhr.open('GET', url, true);
        xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
        xhr.onreadystatechange = function(){
            if(xhr.readyState == 4 && xhr.status == 200) {
               // alert('Sending Data');
                var finalurl = url +'?'+params;
                window.location = finalurl;
            }
        }
        xhr.send(params);
    }else{
        window.location ='e-vmsreserve.php';
    }

}

And the PHP used to save the Data into the DB looks like this

<?php
        session_start();
        if(!isset($_SESSION['userID']))
        {
                header("location: index.php");
        }
?>

<?php
require_once('inc/config.php');

$con = mysqli_connect($host,$user,$pass,$db) or die ('Cannot connect: '.mysqli_error());

$query = "SELECT * FROM evmsdbusers WHERE username = '".$_SESSION['userID']."'";
$result = mysqli_query($con,$query) or die('Bad Query: '.mysqli_error($con));
while($row = mysqli_fetch_array($result)){

$fullname = $row['fullname'];
$username = $row['username'];
$designation = $row['designation'];
}


?>

<?php

require_once('inc/config.php');

$con = mysqli_connect($host, $user, $pass, $db) or die('Cannot connect, Reason:'.mysqli_error());

$fullname = mysqli_real_escape_string($con,$_GET['fullname']);
$address = mysqli_real_escape_string($con,$_GET['address']);
$address2 = mysqli_real_escape_string($con,$_GET['address2']);
$city = mysqli_real_escape_string($con,$_GET['city']);
$state = mysqli_real_escape_string($con,$_GET['state']);
$telephone = mysqli_real_escape_string($con,$_GET['telephone']);
$email = mysqli_real_escape_string($con,$_GET['email']);
$vehicle_type = mysqli_real_escape_string($con,$_GET['vehicle_type']);
$vehicleNo = mysqli_real_escape_string($con,$_GET['vehicleNo']);
$visit_date = mysqli_real_escape_string($con,$_GET['visit_date']);
$visit_purpose = mysqli_real_escape_string($con,$_GET['visit_purpose']);
$whom_tosee = mysqli_real_escape_string($con,$_GET['whom_tosee']);
$login_time = mysqli_real_escape_string($con,$_GET['login_time']);
$invitee_username =$username;


$sql = "insert into new_reservation (fullname,address,address2,city,state,telephone,email,vehicle_type,vehicleNo,visit_date,visit_purpose,whom_tosee,login_time,visitor_username) values ('".$fullname."','".$address."','".$address2."','".$city."','".$state."','".$telephone."','".$email."','".$vehicle_type."','".$vehicleNo."','".$visit_date."','".$visit_purpose."','".$whom_tosee."','".$login_time."','".$invitee_username."')";
    mysqli_query($con, $sql) or die ('Bad Query, Reason: '.mysqli_error($con));

    $message = "Appointment Reserved!";
    echo '<script type="text/javascript">'; 
    echo 'alert("'.$message.'");'; 
    echo '</script>';

?>

Now what i do not seem to understand is why I am having 2 records,Though not duplicate but it should have only one record.

Why you use `$_GET` method while post data, also use prepare statement to prevent SQL injection — , Oct 21 '19 at 08:58
GET with insert is open invitation for SQL injection, second, this will insert on every refresh due to `$_GET` — devpro, Oct 21 '19 at 08:59

devpro · Answer 1 · 2019-10-21T09:09:20.630

1

First of all, your code is wide open for SQL injection, using $_GET is open invitation for SQL injection. I suggest you to use Prepared statement, this will prevent your code for SQL attack.

Issue in your code is window.location = finalurl; this line, this will redirect to same php file with same params, and your query will insert twice due to $_GET values.

So, you just need to show your response when you got response 200, no need to redirect on same url 'submit_request.php' with same params.

Some useful links:

Are PDO prepared statements sufficient to prevent SQL injection?

Prepared Statement Manaul

One more suggestion always exit(); after header(); otherwise your code will not terminate.

php - Should I call exit() after calling Location: header?

edited Oct 21 '19 at 09:09

answered Oct 21 '19 at 09:02

devpro

16,184
3
27
38

it does not save into the data should i take window.location away, it does not even redirect, should i add it back, it saves , but i have 2 records – Sam Oct 21 '19 at 10:08
@Sam: yes remove this part and second tell me your php code SELECT and INSERT both of them in 1 file?? – devpro Oct 21 '19 at 10:10
the second file is 'submit_request.php' which is supposed to access the GET request as created from the javascript, So yes, the SELECT is suppose to use sessions to fetch information and i would use in the INSERT Statement. So yes they are one file. – Sam Oct 21 '19 at 10:21
@Sam: ok then you are doing one more mistake here, do not stablished database connection twice – devpro Oct 21 '19 at 10:31
@Sam: second use `echo $sql; exit;` before `mysqli_query($con, $sql) or die ('Bad Query, Reason: '.mysqli_error($con));` and share the result, either your query print once or twice please hsare – devpro Oct 21 '19 at 10:35

score 1 · Answer 2 · answered Oct 21 '19 at 10:52

Thank You DevPro, Somehow I managed to see where the error was. when performing a get request, it should be in the pattern url+'?'+parameters

I remembered that and tried it in my code, somehow it saves fine now and no Duplicate records or double insert. In case someone needs it in future :), PHP Remains the same.

I did it like this xhr.open('GET', url+"?"+params, true);

function submitFormData(){
    var xhr = new XMLHttpRequest();
    var url = 'submit_request.php';
    var fullname = document.getElementById("fullname").value;
    var address = document.getElementById("address").value;
    var address2 = document.getElementById("address2").value;
    var city = document.getElementById("city").value;
    var state = document.getElementById("state").value;
    var telephone = document.getElementById("telephone").value;
    var email = document.getElementById("email").value;
    var vehicle_type = document.getElementById("vehicle_type").value;
    var vehicleNo = document.getElementById("vehicleNo").value;
    var visit_date = document.getElementById("visit_date").value;
    var visit_purpose = document.getElementById("visit_purpose").value;
    var whom_tosee = document.getElementById("whom_tosee").value;
    var login_time = document.getElementById("login_time").value;

    var params = 'fullname='+fullname+'&address='+address+'&address2='+address2+'&city='+city+'&state='+state+'&telephone='+telephone+'&email='+email+'&vehicle_type='+vehicle_type+'&vehicleNo='+vehicleNo+'&visit_date='+visit_date+'&visit_date='+visit_date+'&visit_purpose='+visit_purpose+'&whom_tosee='+whom_tosee+'&login_time='+login_time+'';

    var txt = 'Please confirm the following Information\n FullName : '+fullname+'\n Address : '+address+'\n Address2 : '+address2+'\n City: '+city+'\n State: '+state+'\n Telephone: '+telephone+'\n Email: '+email+'\n Vehicle Type: '+vehicle_type+'\n Vehicle #: '+vehicleNo+'\n Visit Date: '+visit_date+'\n Visit Purpose : '+visit_purpose+'\n Who To see : '+whom_tosee+'\n Login Time : '+login_time+'';
    var response = confirm(txt);

    if(response ==true){
        xhr.open('GET', url+"?"+params, true);
        xhr.onreadystatechange = function(){
            if(xhr.readyState == 4 && xhr.status == 200) {
                alert('ok');
            }   
        }
        xhr.send(null);
    }

}

Thanks everyone!

Two records insert into Mysql Database other than one

2 Answers2