homepage Welcome to WebmasterWorld Guest from 23.20.19.131
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Preventing Double submit on refresh/back
Marked




msg:4131931
 9:41 am on May 13, 2010 (gmt 0)

Hi all,

I'm trying to correct the issue of double submit in my script. I have done a bit of googling, but most solutions that i have found arn't quite what im looking for...

In my script, i have something like the following (on a single page):
if(isset($_POST['hidden_field']))
{
execute some code when the form is submitted
}

<form method="POST" action="">
<input type="hidden" value="hidden_field" name="hidden_field"/>
</form>

So basically the form and code when the form is submitted are in the same file. A quick example of what is happening is when you add or delete a certain item via the form, if you click back on the browser or refresh the page it tries to submit again. This is the double submit problem.

In my searches i mostly found scripts to disable buttons, but this didnt work. What i want to happen is when you submit the form, and the page reloads, it no longer tried to submit again when the page is refreshed or the back button is clicked. I heard the best way to do this is by redirect and changing POST to GET.

Does anyone know how i can go about getting this working?

Thanks in advance,
Mark.

 

Matthew1980




msg:4131934
 10:36 am on May 13, 2010 (gmt 0)

Hi there Marked,

HTML code:-

<form method="POST" action="">
<input type="submit" value="Submit" name="submit"/>
</form>

PHP code:-

<?php
if(isset($_POST['submit']) && ($_POST['submit'] == "Submit"))
{
execute some code when the form is submitted
}

This is what I use, and I haven't had a 'double submit' yet. Ie check the value of the key, then process.

Changing $_POST to $_GET is only good if you create the vars and pass them in the URL, $_POST is from the form submitted data.

I suppose there is some fancy js out there that would disable the submit button when it is actioned, but I have never tried this method.

Hope this helps..

Cheers,
MRb

londrum




msg:4131936
 10:50 am on May 13, 2010 (gmt 0)

another easy way is just to put a short-lived cookie on their system when they submit (just a couple of minutes will probably do)
if you check for the existance of that cookie everytime someone new submits, then you will know whether to throw an error.

webizarre




msg:4131941
 11:23 am on May 13, 2010 (gmt 0)

You can redirect the user to other page after submitting the form once. Here is the code you can use in mail configuration:


$Redirect_URL="http://www...";


This can be used to avoid second hits.

jatar_k




msg:4132105
 4:50 pm on May 13, 2010 (gmt 0)

scripts shouldn't post to themselves

post to a processing script that has no output

on error reinclude the form
on success redirect to a success page

Matthew1980




msg:4132534
 7:51 am on May 14, 2010 (gmt 0)

Hi there jatar_k,

I should have been clear about that really, posting to a dedicated php file or class enables you to handle things better, but you can still do error checking and blank submissions from posting to 'itself'.

I think though setting in place a dedicated form handler is just better practise, from there you can handle all exceptions. Just my opinion there, there may be better options that I haven't encountered yet ;)

Cheers,
MRb

mooger35




msg:4132865
 6:37 pm on May 14, 2010 (gmt 0)

What I've been using recently is a jquery pop up window that uses ajax to post the form to a processing page and then returns either "success" or an error message (or messages). If success a notification of the fact pops up and then the jquery window gets automatically closed half a second later. If error message(s) then notification of what went wrong occurs.

Any reason this way of doing things would be a horrible idea?

Marked




msg:4133129
 9:57 am on May 15, 2010 (gmt 0)

Thanks for all your replies :)

For my script there is no need for an error message system, because I use javascript to ensure the form is filled out correctly.

Ok, what I did was create this function:
function doRedirect($url)
{
header('Location: '.$url);
}

And then:
if(isset($_POST['hidden_field']))
{
//run code

doRedirect($_SERVER['REQUEST_URI']);
exit();

}


It works pretty well. However does not work when the user tries to go back. At the moment though I'm pretty satsified with this system. :)

brotherhood of LAN




msg:4133130
 10:02 am on May 15, 2010 (gmt 0)

there is no need for an error message system, because I use javascript


It would be recommended to also validate the form server-side as well as client-side.

Client-side validation saves the hassle of page reloads, but ultimately server-side validation ensures that the data is truly valid.

Matthew1980




msg:4133136
 10:37 am on May 15, 2010 (gmt 0)

Hi there marked,

To add onto brotherhoodoflans point, not all people have js enabled, so for user/cross platform compatibility it would be preferable to use the php validation as its server side and not client side.

Cheers,
MRb

rocknbil




msg:4133219
 4:57 pm on May 15, 2010 (gmt 0)

not all people have js enabled


Two cents on that . . . in cases of user input, it's not so much your users (which is important on it's own) but that those who would abuse your site do so from command line apps without even touching the form. They completely circumnavigate the form with a post directly to your script. In such cases they can inject data you wouldn't expect.

Matthew1980




msg:4133224
 5:07 pm on May 15, 2010 (gmt 0)

Hi there Marked,

And then:
if(isset($_POST['hidden_field']) && ($_POST['hidden_field'] == "hidden_field"))
{
//run code

doRedirect($_SERVER['REQUEST_URI']);
exit();

}



Ok, so your checking the key, at least check the value of the key to see if it is what it should be, after all it could be set, but with a completely different value from what you assigned to it, kinda like rocknbil suggests :)

I find that checking both value and key is better as you can then direct the script accordingly, and as jatar_k says, keep the files seperate, or direct to a dedicated file so that you can then show the user something else after they have posted, or redirect back to the same page if an error arises ie: blank field; illegal data etc, etc.

Hope this helps ;)

Cheers,
MRb

Readie




msg:4133241
 6:39 pm on May 15, 2010 (gmt 0)

&& ($_POST['hidden_field'] == "hidden_field")

I'm pretty sure that a string "is equal to" 0 - so the "is identical to" comparison should be used here, to prevent users doing any damage during an injection attempt, or exposing any vulnerabilities:

&& ($_POST['hidden_field'] [b]===[/b] "hidden_field")

Just to be safe :)

arvind gupta




msg:4134523
 6:58 am on May 18, 2010 (gmt 0)

I generally tend to use a random key to stop multiple form submission. For eaxmple:

<?php
session_start();

// Process form
if(isset($_GET['submit']) && $_GET['key'] == $_SESSION['key'])
{
// Process
echo 'processed';
}
else {
echo 'not prcoessed';
}
?>

<?php
$_SESSION['key'] = mt_rand(1, 1000);
?>
<!-- Form -->
<form action="" method="get">
<input type="hidden" name="key" value="<?php echo $_SESSION['key'] ?>" />
<input type="submit" name="submit" value="Submit" />
</form>


Hope this helps!

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved