1

I have a form in my website, but I can't fix one problem. When I write some text in the form box, it sends the data to the database. When I hit refresh, the page sends the same data again, to the database. What is the problem with my code?

<?php
if(isset($_POST['submit']))
{   
$err = array();

$diss = $_POST['type'];
$sub = $_POST['sub'];
$msg = $_POST['msg'];
$uname = $_SESSION['uname'];
$date = "On " . date("F Y h:i:s A");

if (!isset($_SESSION['uname']))

$err[] = "You need to login";

else
{
if(empty($sub) && empty($msg))

$err[] = "All field required";

else
{
if(empty($sub))
$err[] = "Subject Requried";

if(empty($msg))
$err[] = "Message Requried";
 }
}
if(!empty($err))
{
foreach($err as $er)
{
echo "<font color=red><b>$er</b></font>";
}
}
else
{
$sql= mysql_query("INSERT INTO discussion VALUES ('', '$diss', '$sub', '$msg', '$uname', '$date' ) ");
if(!$sql)
echo "Can't submit your discussion";
else
{
echo "Discussion was submitted";
}
}   
}
?>

<form action="<?php echo htmlentities($_SERVER['PHP_SELF']); ?>" method="post"     
name="discussion">
<table width="240" border="0" cellspacing="0" cellpadding="0">
<tr>
<td style="width:230;"><b>Select your Discussion</b>&nbsp;&nbsp;
<select name="type">
<?php   
$sqld = mysql_query("SELECT * FROM distype");

while($row = mysql_fetch_assoc($sqld))
{
$d_id = $row['d_id'];
$diss = $row['type'];
echo "<option value='$diss'>$diss</option>";
}
?>

</select></td>
</tr>
<tr>
<td><b>Subject</b></td>
</tr>
<tr>
<td><input type="text" name="sub" value="" size="33" class=""/></td>
</tr>
<tr>
<td><b>Message</b></td>
</tr>
<tr>
<td><textarea cols="30" rows="3" name="msg" class=""></textarea></td>
</tr>
<tr>
<td>&nbsp;</td>
</tr>
<tr>
<td><input type="submit" name="submit" value="Submit Form"><br>
<td></td>
</tr>
</table>

creativeartbd
  • 101
  • 3
  • 9
  • You need to redirect after a form submission. It's best practice to do so. Once the user has submitted the form and you've updated the DB, redirect somewhere else or back to the original page, but don't just print out the page. – ghstcode Dec 18 '11 at 17:46
  • possible duplicate of [How to handle multiple submissions server-side](http://stackoverflow.com/questions/218907/how-to-handle-multiple-submissions-server-side) – Álvaro González Dec 18 '11 at 17:47
  • I've come to a point where any page that displays anything, does not modify my database. All my updates are done through ajax. – Frank Dec 18 '11 at 19:13

2 Answers2

1

On successful form submit you need to reload the url or redirect him somewhere to prevent user from inserting data to the database.

$sql= mysql_query("INSERT INTO discussion VALUES ('', '$diss', '$sub', '$msg', '$uname', '$date' ) ");
if(!$sql)
echo "Can't submit your discussion";
else
{
   header("Location: page.php?mode=success");
   //or
   header("Location: ".$_SERVER['REQUEST_URI']); //which will just reload the page
}
Ignas
  • 1,965
  • 2
  • 17
  • 44
  • well, it's say Warning: Cannot modify header information - headers already sent by (output started at C:\xampp\htdocs\evantechbd\index2.php:12) in C:\xampp\htdocs\evantechbd\index2.php on line 336. i've session_start() at top. Then? – creativeartbd Dec 18 '11 at 17:59
1

The problem is, that your code will execute the same way when sent the same data. You need to protect against double inserts by one of many contructs:

  • Unique key on the table
  • Store hash of last post in session, refuse post if it has the same hash as stored
  • redirect user to different page on succes, so that a refresh will not cause the same POST
Eugen Rieck
  • 64,175
  • 10
  • 70
  • 92
  • Well, no i want show same page on success, you can see the code, like echo "Discussion was submitted"; i want at first if i submit i submit the form it's should be say echo "discussion was...." and after i that if i refresh the page i shouldn't insert the data to mysql – creativeartbd Dec 18 '11 at 17:57
  • You could simply display the success message on the redirection landing page: something like (This is Pseudocode, not PHP) INSERT INTO .... ; $lid=SELECT last_insert_id() FROM discussion; redirect("landingpage.php&id=$lid"); – Eugen Rieck Dec 18 '11 at 18:09