POST method problem in php in trying to create CRUD

Question

I'm trying to create a CRUD data grid with php it is very simple but facing a problem with POST method every time I refresh my page it enters my previous data. Im trying to learn php i have basic knowledge of different languages like c# and java. Kindly answer me as soon as possible.

here is my code :

home.php :

<!DOCTYPE html>
<html lang="en">

<head>
  <title>PHP CRUD</title>
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css">
  <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script>
  <script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.16.0/umd/popper.min.js"></script>
  <script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.5.2/js/bootstrap.min.js"></script>
</head>

<body>

  <?php require_once 'process.php'; ?>

  <?php

    $mysqli = new mysqli('localhost','root','','crud')or die(mysql_error($mysqli));

    $result= $mysqli->query("SELECT * FROM data")or die($mysqli->error);

    ?>

    <div class="row justify-content-center">
      <table class="table">
        <thead>
          <tr>
            <th>Name</th>
            <th>Location</th>
            <th colspan="2">Action</th>
          </tr>
        </thead>
        <?php while ($row = $result->fetch_assoc()): ?>
        <tr>
          <td>
            <?php echo $row['name'] ?>
          </td>
          <td>
            <?php echo $row['location'] ?>
          </td>
          <td></td>
        </tr>
        <?php endwhile; ?>
      </table>
    </div>


    <div class="container">
      <div class="row justify-content-center">

        <form action="process.php" method="GET">

          <div class="form-group">

            <label>Name</label>
            <input type="text" name="name" class="form-control" value="Enter your name">

          </div>

          <div class="form-group">

            <label>Location</label>
            <input type="text" name="location" class="form-control" value="Enter Your Location">

          </div>

          <div class="form-group">

            <button type="submit" name="save" class="btn btn-primary">Save</button>

          </div>


        </form>

      </div>
    </div>



</body>

</html>

This the the process.php :

<?php

$mysqli = new mysqli('localhost','root','','crud') or die(mysql_error($mysqli));

if(isset($_GET['save']))
{
    $name=$_GET['name'];
    $location=$_GET['location'];
    $mysqli->query("INSERT INTO data (name,location) VALUES ('$name','$location')") or die($mysqli->error);
}

?>

If you use POST then the browser should warn you on refresh. — AbraCadaver, May 19 '21 at 14:30
When you submit a form and then refresh the page, the submission will be attempted again. Some browsers will ask you if you want to re-submit, but some will assume so by default. It's not a code issue. If you want to find a way around it, then perform a redirect after the form has been submitted. Then a refresh won't include the submission. — El_Vanja, May 19 '21 at 14:31
And please note your code is open to [SQL injection](https://stackoverflow.com/questions/332365/how-does-the-sql-injection-from-the-bobby-tables-xkcd-comic-work). You should consider switching to [prepared statements](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) in order to prevent it. — El_Vanja, May 19 '21 at 14:34
Also, you should avoid using `or die` while working with the database, because it could potentially leak sensitive data. See [mysqli or die, does it have to die?](https://stackoverflow.com/questions/15318368/mysqli-or-die-does-it-have-to-die) — El_Vanja, May 19 '21 at 14:36

AbraCadaver · Answer 1 · 2021-05-19T15:14:38.670

2

First you need to use parameterized queries (How can I prevent SQL injection in PHP?). Second, you should use POST and redirect after:

HTML

<form action="process.php" method="POST">

PHP

if(isset($_POST['save']))
{
    $stmt = $mysqli->prepare(("INSERT INTO data (name, location) VALUES (?, ?)");
    $stmt->bind_param('ss', $_POST['name'], $_POST['location']);
    $stmt->execute();
    header("location: confirmation.php"); // or whatever
} else {
    header("location: home.php"); // or whatever
}
exit;

Find a tutorial as there are other things you need to do, such as making sure the $_POST values are !empty(), checking for DB errors, etc.

edited May 19 '21 at 15:14

answered May 19 '21 at 14:37

AbraCadaver

78,200
7
66
87

can you please elaborate a little more. – Agrito Kryiss May 19 '21 at 14:39
Elaborate on what? – AbraCadaver May 19 '21 at 14:40
Plus i wanted to add that when i use the same code using GET method it works fine – Agrito Kryiss May 19 '21 at 14:42
GET is for GETting. POST is for changes, insert, update, delete etc... – AbraCadaver May 19 '21 at 14:43
Could you recomment me some tutorials, im already following one -> https://www.youtube.com/watch?v=3xRMUDC74Cw – Agrito Kryiss May 19 '21 at 14:43
Can you re write the code on how it should be and, sorry im a little new on this things ur saying are going over my head – Agrito Kryiss May 19 '21 at 14:45
@AgritoKryiss Yikes, that's a bad tutorial. Word of advice, stay away from any tutorial that uses mysqli. They are mostly bad. Look for a tutorial that uses PDO – Dharman May 19 '21 at 15:12

POST method problem in php in trying to create CRUD

1 Answers1