I think that this problem occurs often on a web application development. But I'll try to explain in details my problem.
I'd like to know how to correct this behavior, for example, when I have a block of code like this :
<?
if (isset($_POST['name'])) {
... operation on database, like to insert $_POST['name'] in a table ...
echo "Operation Done";
die();
}
?>
<form action='page.php' method='post' name="myForm">
<input type="text" maxlength="50" name="name" class="input400" />
<input type="submit" name="Submit" />
</form>
When the form gets submitted, the data get inserted into the database, and the message Operation Done is produced. Then, if I refreshed the page, the data would get inserted into the database again.
How this problem can be avoided? Any suggestion will be appreciated :)
Don't show the response after your create action; redirect to another page after the action completes instead. If someone refreshes, they're refreshing the GET requested page you redirected to.
// submit
// set success flash message (you are using a framework, right?)
header('Location: /path/to/record');
exit;
Set a random number in a session when the form is displayed, and also put that number in a hidden field. If the posted number and the session number match, delete the session, run the query; if they don't, redisplay the form, and generate a new session number. This is the basic idea of XSRF tokens, you can read more about them, and their uses for security here: http://en.wikipedia.org/wiki/Cross-site_request_forgery
Here is an example:
<?php
session_start();
if (isset($_POST['formid']) && isset($_SESSION['formid']) && $_POST["formid"] == $_SESSION["formid"])
{
$_SESSION["formid"] = '';
echo 'Process form';
}
else
{
$_SESSION["formid"] = md5(rand(0,10000000));
?>
<form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]); ?>" method="post">
<input type="hidden" name="formid" value="<?php echo htmlspecialchars($_SESSION["formid"]); ?>" />
<input type="submit" name="submit" />
</form>
<?php } ?>
I ran into a similar problem. I need to show the user the result of the POST. I don't want to use sessions and I don't want to redirect with the result in the URL (it's kinda secure, I don't want it accidentally bookmarked). I found a pretty simple solution that should work for the cases mentioned in other answers.
On successfully submitting the form, include this bit of Javascript on the page:
<script>history.pushState({}, "", "")</script>
It pushes the current URL onto the history stack. Since this is a new item in history, refreshing won't re-POST.
UPDATE: This doesn't work in Safari. It's a known bug. But since it was originally reported in 2017, it may not be fixed soon. I've tried a few things (replaceState, etc), but haven't found a workaround in Safari. Here are some pertinent links regarding the issue:
Safari send POST request when refresh after pushState/replaceState
https://bugs.webkit.org/show_bug.cgi?id=202963
https://github.com/aurelia/history-browser/issues/34
Like this:
<?php
if(isset($_POST['uniqid']) AND $_POST['uniqid'] == $_SESSION['uniqid']){
// can't submit again
}
else{
// submit!
$_SESSION['uniqid'] = $_POST['uniqid'];
}
?>
<form action="page.php" method="post" name="myForm">
<input type="hidden" name="uniqid" value="<?php echo uniqid();?>" />
<!-- the rest of the fields here -->
</form>
I think it is simpler,
page.php
<?php
session_start();
if (isset($_POST['name'])) {
... operation on database, like to insert $_POST['name'] in a table ...
$_SESSION["message"]="Operation Done";
header("Location:page.php");
exit;
}
?>
<html>
<body>
<div style='some styles'>
<?php
//message here
echo $_SESSION["message"];
?>
</div>
<form action='page.php' method='post'>
<!--elements-->
</form>
</body>
</html>
So, for what I needed this is what works.
Based on all of the above solutions this allows me to go from a form to another form, and to the n^ form , all the while preventing the same exact data from being "saved" over and over when a page is refreshed (and the post data from before lingers onto the new page).
Thanks to those who posted their solution which quickly led me to my own.
<?php
//Check if there was a post
if ($_POST) {
//Assuming there was a post, was it identical as the last time?
if (isset($_SESSION['pastData']) AND $_SESSION['pastData'] != $_POST) {
//No, Save
} else {
//Yes, Don't save
}
} else {
//Save
}
//Set the session to the most current post.
$_session['pastData'] = $_POST;
?>
We work on web apps where we design number of php forms. It is heck to write another page to get the data and submit it for each and every form. To avoid re-submission, in every table we created a 'random_check' field which is marked as 'Unique'.
On page loading generate a random value and store it in a text field (which is obviously hidden).
On SUBMIT save this random text value in 'random_check' field in your table. In case of re-submission query will through error because it can't insert the duplicate value.
After that you can display the error like
if ( !$result ) {
die( '<script>alertify.alert("Error while saving data OR you are resubmitting the form.");</script>' );
}
No need to redirect...
replace die(); with
isset(! $_POST['name']);
, setting the isset to isset not equal to $_POST['name'], so when you refresh it, it would not add anymore to your database, unless you click the submit button again.
<?
if (isset($_POST['name'])) {
... operation on database, like to insert $_POST['name'] in a table ...
echo "Operation Done";
isset(! $_POST['name']);
}
?>
<form action='page.php' method='post' name="myForm">
<input type="text" maxlength="50" name="name" class="input400" />
<input type="submit" name="Submit" />
</form>
This happen because of simply on refresh it will submit your request again.
So the idea to solve this issue by cure its root of cause.
I mean we can set up one session variable inside the form and check it when update.
if($_SESSION["csrf_token"] == $_POST['csrf_token'] )
{
// submit data
}
//inside from
$_SESSION["csrf_token"] = md5(rand(0,10000000)).time();
<input type="hidden" name="csrf_token" value="
htmlspecialchars($_SESSION["csrf_token"]);">
I think following is the better way to avoid resubmit or refresh the page.
$sample = $_POST['submit'];
if ($sample == "true")
{
//do it your code here
$sample = "false";
}
I have a simple HTML script:
<form action="" method="post">
<input type="text" name="amount">
<?php echo $amountError; ?>
<input type="submit">
</form>
And I display errors using this:
<?
$amount = $_POST['amount'];
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
if (empty($_POST['amount'])) {
$amountError = 'Empty amount';
} else {
header("Location: apmoketi.php");
}
?>
In the apmoketi.php file there is only one line
echo $amount = $_POST['amount'];
However, when I'm trying to display data in the apmoketi.php page, I don't get the value of the $amount variable using action="", but using action="apmoketi.php" I can get it but my PHP code doesn't checking for any errors, why?
A call to header("Location: apmoketi.php"); makes the browser follow the specified URL as another, completely separate request. This new request doesn't have access to the POST data of the previous one.
Your options:
use include so apmoketi.php has access to the variables of the current script
use sessions to preserve data between requests
use a query parameter to carry the value over:
header('Location: apmoketi.php?amount=' . urlencode($amount));
When you redirect to header("Location: apmoketi.php");, the variables are no longer in $_POST[] so you need to set a session variable before you redirect:
$_SESSION['amount'] = $amount;
the way i do it is i have a folder called action with subfiles in there lets say the file called file2 in this file all the php action happens.
and in the root of my folder i have another file called file1 and in here theres the html and now how i would do it is
<form action="action/file2.php" method="post">
<input type="text" name="amount">
<?php echo $amountError; ?>
<input type="submit">
</form>
I have numerous pages that I need to access a variable on. This variable is assigned a value when a user enters an ID into a form on accounts.php:
account.php
<form action="afterlog.php" class="form" method="post">
<input type="text" name="amid" id = "amid" class="input" />
<input class="btn" type="submit" value="Go" />
</form>
which posts the value 'amid' to afterlog.php
afterlog.php
<?php
session_start();
if($_SERVER['REQUEST_METHOD']=='POST')
{
$_SESSION['account_manager_id']=$account_manager_id;
$account_manager_id = $_POST['amid'];
header('Location: customer_view.php');
}
?>
which checks the POST, assigns the session variable, and redirects rhe user to customer_view.php
customer_view.php
I need to use '$account_manager_id' in this page and all pages after. Here is how I am assigning it the value of the _SESSION variable:
<?php
session_start();
$_SESSION['account_manager_id']=$account_manager_id;
?>
Bu the value isn't being held on any of the pages, including customer_view.php. I know its passing to afterload.php because it prints out on that page, but its gone after that page.
What I am doing wrong?
Thanks for your help!
You are trying to assign a value to $_SESSION['account_manager_id'] before $account_manager_id has any value in it. You just need to switch the order:
$_SESSION['account_manager_id']=$account_manager_id;
$account_manager_id = $_POST['amid'];
or simply:
$_SESSION['account_manager_id'] = $_POST['amid'];
in afterlog.php
<?php
if($_SERVER['REQUEST_METHOD']=='POST')
{
$account_manager_id = $_POST['amid'];
$_SESSION['account_manager_id']=$account_manager_id;
header('Location: customer_view.php');
}
?>
or
<?php
if($_SERVER['REQUEST_METHOD']=='POST')
{
$_SESSION['account_manager_id']=$_POST['amid'];
header('Location: customer_view.php');
}
?>
Sorry if this is a duplicate, but I really cant find anything that could solve my problem. I can pass numbers and strings like $_SESSION['blabla']="123'; but I can't pass this $_POST value from the textfield and submit button.
Page 1 (sessions.php)
<?php session_start(); ?>
!doctype stuff here
<body>
<form id="form1" name="form1" method="post" action="sessions2.php">
<label>
<input type="text" name="damn" id="damn" />
<input type="submit" name="submit" id="submit" value="Submit" />
</label>
</form>
<?php
$omg = $_POST['damn'];
$_SESSION['damn'] = $omg;
echo $_SESSION['damn'] ;
?>
Page 2 (sessions2.php)
<?php
session_start();
$fires = $_SESSION['damn'];
echo "wth";
echo $_SESSION['damn'];
?>
PS. Sorry for the names.. I'm truly stumped.
You need to put the code that reads from $_POST in the file that you submit the form to.
Currently your process is:
Get request for sessions.php
Send form to browser
Assign $_POST['damn'] (which is undefined) to the session.
User submits form
Get request for sessions2.php
Ignore $_POST (which is now populated)
Read from the session (where the variable is still undefined).
damn is populated in the form submission request (step 4/5) not the request where you are trying to read it (step 1).
In sessions2.php
// you POST "damn" variable via form, using post method, so:
$fires = $_POST['damn'];
// and:
$_SESSION['damn'] = $fier;
// or
$_SESSION['damn'] = $_POST['damn'];
PHP code in file sessions.php doesn't work, because in form action you have session2.php.
I am trying to set a session variable for the location selected in the dropdown menu when the user hits submit. The goal is to pass this variable to another php page so that I can display the drop down option they chose along with two values associated with it from a MYSQL table.
Below is a section of my code from my first php file. It shows the dropdown that is created from a list of values from the MYSQL database along with where I am trying to set the session variable for the selected option.
session_start();
<form action="/locationsprocessing.php" method="post">
<select id="locations" name="locations"><? echo $option; ?></select>
<input type="submit" value="Submit" name="submit" id="submit">
</form>
<?php
if (isset($_POST['submit'])) {
$_SESSION['locations'] = $_POST['locations'];
$_SESSION['animal'] = 'cat';
}
Below is my code from the second page where I call the session variables for display. As you can see I have input another variable for testing purposes. It is supposed to display "cat" and it does.
session_start();
echo $_SESSION['animal'];
echo $_SESSION['locations'];
It may also be important to note that locationsprocessing.php runs a redirect using header. But that is really all that file does.
Am I missing something? I have gone through countless different tuts and such and been staring at this code forever. I can not see why it wo
you need start session in every pages where you need to use session:
<form action="/locationsprocessing.php" method="post">
<select id="locations" name="locations"><? echo $option; ?></select>
<input type="submit" value="Submit" name="submit" id="submit">
</form>
<?php
if (isset($_POST['submit'])) {
session_start();
$_SESSION['locations'] = $_POST['locations'];
$_SESSION['animal'] = 'cat';
}
This may be going wrong: When you submit your form in the first piece of code from the questions, you are sending the data entered in the form to /locationsprocessing.php. You say that all that file does is redirecting to another page. That means the data entered in the form is effectively lost.
I think what you want to do is to remove the form processing code from the first piece of code, so with only this remaining:
session_start();
<form action="/locationsprocessing.php" method="post">
<select id="locations" name="locations"><? echo $option; ?></select>
<input type="submit" value="Submit" name="submit" id="submit">
</form>
Then place that removed piece of code in /locationsprocessing.php, like this:
session_start();
if (isset($_POST['submit'])) {
$_SESSION['locations'] = $_POST['locations'];
$_SESSION['animal'] = 'cat';
header('Location: ' . $destination);
}
$destination would be the path for the page with the second piece of code in the question.