Refresh resubmits data 1

RhythmAce · Mar 14, 2008

Sorry for asking such stupid questions but I'm trying to teach myself php and I'm not a very good teacher. I have a script that uses a form. When I click the submit button, everything works as expected. However, if I click on the browser's refresh button, the form is resubmitted. It will do this until I click the submit button again or leave and come back. Is this a common occurrence or will you need to see the script in action or the source code?

jpadie · Mar 15, 2008

this is a common problem.

a redirect is one of the common solutions. however it does not, to my mind, completely deal with the issue as the browser could drop back two pages, and the same result would be achieved.

my favourite solution to this is to include a 'nonce' (a number used once in the form or url). the nonce is then checked server side to determine whether the form data should be ignored.

if the nonce is valid then the data is captured and then the nonce is invalidated (as it has been used).

the nonce is stored serverside AND clientside so that it may be compared.

the nonce is nothing more complex than a unique string.

check out thread434-1366256 for a more fulsome response and sample code.

RhythmAce · Mar 15, 2008

Thank you very much. Once I get the hang of it, I know I will be using your solution in a lot more of my scripts.

RhythmAce · Mar 17, 2008

I finally had the opportunity to try your code this weekend. It works fine in stand alone mode but I could never figure out how to use it with a script that uses a database. What I did was swap my form for yours and adding the hidden field. Then I changed this:

Code:

if (isset($_POST['submit'])){
    processForm();
}else{
    displayForm();
}

to this:

Code:

if (isset($_POST['submit'])){
    killVars();
}

I was simply trying to cut to the chase. ;-) Other than processForm and displayForm, I kept all the other functions intact. The long and short of it is, when I do this, my form does not post. I tried putting the form in a separate page and still no joy. I tried the code in each of the pages. When I put it in the form page, it did nothing. It was like it wasn't there. When I put it in the display page, it wouldn't post. I have other pages with forms that do the same thing but if you can show me how to use the code on this page, I'm sure I'll be able to figure out what to do with the rest. Here is the page that is giving me fits:

Code:

<?php

	header("Expires: Mon, 7 Apr 1967 09:00:00 GMT"); // expires in the past
	header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); // Last modified, right now
	header("Cache-Control: no-cache, must-revalidate"); // Prevent caching, HTTP/1.1
	header("Pragma: no-cache"); // Prevent caching, HTTP/1.0

$host = "localhost";
$user = "user";
$pass = "password";
$db = "candle";

$error = 0;
mysql_connect($host, $user, $pass) OR die ("Could not connect to the server.");
mysql_select_db($db) OR die("Could not connect to the database.");

if ($_POST['submit'] && $_POST['name'] && $_POST['message']) {
$name = $_POST['name'];
$message = $_POST['message'];

if (strlen($message) > 100) {
echo "your message is longer than 100 chars<br /><a href=\"index.php\">Back to messages</a>";
$error = 1;
}

if (strlen($name) > 25) {
echo "your name is longer than 25 chars<br /><a href=\"index.php\">Back to messages</a>";
$error = 1;
}
$message = htmlspecialchars($message);
$message = nl2br($message);
$message = mysql_real_escape_string($message);
$name = htmlspecialchars($name);
$name = mysql_real_escape_string($name);

if ($error != 1) {
mysql_query("INSERT INTO candle (name, message) VALUES ('$name', '$message')");
}
}

?>
<html>
<head>
<title>Light a Memorial Candle</title>
</head>
<body bgcolor="#000000" text="#804040" link="#804040" alink="#bc8f8f" vlink="#804040">
<font face="Times New Roman"><EM>
<table cellspacing="0" cellpadding="3" width="100%" align="center" border="0">
  <tbody>
  <tr></tr>
  <tr>
    <td bgcolor="#804040"></td>
    <td width="85%">

<center><h1>In Loving Memory of Daniel J. Sorum</h1></center>
<p>&nbsp</p>
<center>
<table cellspacing="16"><tr align="center">


<?
     $interval = 0;

 if ($error != 1) {

$result = mysql_query("SELECT * FROM candle ORDER BY id DESC LIMIT 0,10");
while ($row = mysql_fetch_array($result)) {
?>
                  <td><table border="3" width="185" height="200"><td align="center">
                  <img src="images/candle.gif" width="70" height="79"><br><b><? echo $row['name'];?></b><br><br><? echo $row['message'];?>
                  </td></table></td></EM>
<?
                  $interval++;
                  if($interval == 3)
                  {
                           print("</tr><tr>");
                           $interval = 0;
                  }
         }
    }

?>

</td>
    </tr>
  </table>
<p>&nbsp</p>
<p>&nbsp</p>

<center>

<form method="post" action="index.php" >
    In Memory of:<br /><input type="text" maxlength="25" name="name"><br /><br />
    Message: (3 lines max)<br /><textarea name="message" cols="30" rows="3"></textarea><br /><br />
    <input type="submit" name="submit" value="Submit"> <input type="reset">
</form>

</center>

<p>&nbsp</p>
<p>&nbsp</p>
     </td>
    <td bgcolor="#804040"></td>
  </tr>
</tbody>
</table>
</body>
</html>

jpadie · Mar 17, 2008

i think you need to go back to my version for the main verification code. killvars does not sound like the right function to use off the bat. you need to use testunique() to validate. it returns true if the submission is real, false if not. you call killvars() after you have processed the data.

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Refresh resubmits data 1

RhythmAce

Technical User

jpadie

Technical User

RhythmAce

Technical User

RhythmAce

Technical User

jpadie

Technical User

Similar threads

Part and Inventory Search

Sponsor