Form into Database advice….

@jesseainskeepFeb 02.2007

I know this has probably been talked about before… I just can’t find what I’m looking for.

I’ve got a form that submits back to itself, if it validates it submits into a mySQL database. Pretty basic I think.

The problem is, if the person hits the refresh button, it will submit go through the ‘insert’ process again, and create another row in the database. I know this is not a problem on a back end, but this form is for people to register for an event. Basically, the general public will be using this, so anything can happen.

What is the best way to keep people from submitting something twice? Also, I’ll post my form on here. Is there anything else I should do to make this more secure? Do you see anything that is a real security flaw?

Thanks a lot.

[code=php]<link href=”/styles/pages/bill_geist_presentation.css” rel=”stylesheet” type=”text/css” />

<?php

if (‘POST’ == $_SERVER[‘REQUEST_METHOD’]){ include_once $_SERVER[‘DOCUMENT_ROOT’] . “/edit/code/edit_functions.php”;

while(list($key,$val) = each($_REQUEST)) { $_REQUEST[$key] = trim(addslashes($val)); }

//print_r($_POST);

$error = false; $error_message = “”;

if ($companyName == null){ $error = true; $error_message .= “<li>Company Name is required.</li>”; }else{ $companyName = addslashes($companyName); }

if ($phone == null){ $error = true; $error_message .= “<li>Phone is required.</li>”; }else{ $phone = addslashes($phone); }

if ($email == null){ $error = true; $error_message .= “<li>Email is required.</li>”; }else{ $email = addslashes($email); }

if ($numberAttending == null){ $error = true; $error_message .= “<li>Number Attending is required.</li>”; }

if ($attendee1 == null){ $error = true; $error_message .= “<li>You need to insert an attendee name.</li>”; }else{ $attendee1 = addslashes($attendee1); }

if ($attendee2 != null){ $attendee2 = addslashes($attendee2); }

if ($attendee3 != null){ $attendee3 = addslashes($attendee2); }

if ($attendee4 != null){ $attendee4 = addslashes($attendee2); }

if ($payment == null){ $error = true; $error_message .= “<li>Payment Type is required.</li>”; }

if ($error){ $echo_string = “Do not run query into Database. <br />”; $echo_string .= “Please Fix These Errors. <ul>”; $echo_string .= $error_message . “</ul>”; echo $echo_string; }else{ $query = “INSERT INTO bill_geist_registration VALUES (”, ‘$companyName’, ‘$phone’, ‘$email’, ‘$numberAttending’, ‘$attendee1’, ‘$attendee2’, ‘$attendee3’, ‘$attendee4’, ‘$payment’, ‘0’)”; dbconnect_admin(); if (mysql_query($query)){ ?> <h1>Registration Complete</h1> <p>Thank you for registering for this event! You now just need to pay. Please click the link below, and follow the instructions for payment. If you are paying with a credit card, you can fill this out and fax it to us. If you are paying by check, fill the form out and mail it to us with a check. Thank you very much.</p> <p><a href=”#”>Link to PDF</a></p> <p>If you have any questions or concerns, please call us at ### ### ####.</p>

<?php }else{ ?> <h1>Registration Error</h1> <p>Please hit the back button and try to register again. If you have recieved this error twice in a row, please call (563) 322-3911 ext. 107.</p> <?php };

mysql_close(); }

}else{//end at bottom of file. ?>

<h1>Bill Geist Presentation</h1>

<p>Unveiling of the Quad Cities Destination Review Presented by Nationally Recognized Consultant/Speaker Bill Beist on Feb. 22rd.</p>

<strong>Must RSVP by February 16th</strong>

<form action=”/for_visitors/bill_geist_presentation.html” method=”post” name=”geistForm” id=”geistForm”>

<div class=”form_div”> <table cols=”2″> <tr> <td class=”title”>Company Name:</td> <td class=”input”><input type=’text’ size=’50’ id=’companyName’ name=’companyName’ value=” /></td> </tr> <tr> <td class=’title’>Contact Phone:</td> <td class=’input’><input type=’text’ size=’30’ id=’phone’ name=’phone’ value=” /></td> </tr> <tr> <td class=’title’>Contact Email:</td> <td class=’input’><input type=’text’ size=’40’ id=’email’ name=’email’ value=” /></td> </tr> <tr> <td class=’title’>Number Attending:</td> <td class=’input’> <select name=’numberAttending’ id=’numberAttending’><span class=’note’></span> <option value=”></option> <option value=’1′>1</option> <option value=’2′>2</option> <option value=’3′>3</option> <option value=’4′>4</option> </select><span class=’note’>(Limit of 4)</span> </td> </tr> <tr> <td class=’title’>Attendee 1:</td> <td class=’input’><input type=’text’ size=’40’ id=’attendee1′ name=’attendee1′ value=” /><span class=’note’> *contact name</span></td> </tr> <tr> <td class=’title’>Attendee 2:</td> <td class=’input’><input type=’text’ size=’40’ id=’attendee2′ name=’attendee2′ value=” /></td> </tr> <tr> <td class=’title’>Attendee 3:</td> <td class=’input’><input type=’text’ size=’40’ id=’attendee3′ name=’attendee3′ value=” /></td> </tr> <tr> <td class=’title’>Attendee 4:</td> <td class=’input’><input type=’text’ size=’40’ id=’attendee4′ name=’attendee4′ value=” /></td> </tr> <tr> <td class=’title’>Payment Method:</td> <td class=’input’> <select name=’payment’ id=’payment’ width=’50’>” <option value=”></option> <option value=’creditCard’>Credit Card</option> <option value=’check’>Check</option> </select> </td> </tr> </table> </div>

<div class=”frmButton_div”> <input type=”submit” value=”Submit Registration” id=”frmButton” name=”frmButton” /> </div>

</form>

<?php } //end else ?>[/code]

to post a comment

PHP

7 Comments(s) _↴

@metrostarsFeb 02.2007 — #Just redirect them to another page using

header("Location= 'example.php'")

@jesseainskeepauthorFeb 02.2007 — #That wont really work...

Something has already been written to the page since it's a template, and you can't use a header if something has already been written to the page.

@aussie_girlFeb 02.2007 — #I use a hidden input type in my form e.g

<input type="hidden" name="submitted" value="TRUE" />

then instead of what you are using

if ('POST' == $_SERVER['REQUEST_METHOD']){

use

if (isset($_POST['submitted'])) {

That way the data will only be sent if the user has clicked the submit button

or pressed enter, NOTE the difference between submitted and submit button

@NightShift58Feb 02.2007 — #When doing a refresh, all the POST data will still be there, including hidden fields.

The solution is to validate, do the SQL insert/update and - before any output is sent to screen - redirect to the next page, where you can then output whatever you want to screen.

The only alternative to this - that I know - would be to use a session variable but that would/could be overkill.

@jesseainskeepauthorFeb 04.2007 — #I had thought about using a session variable, but I thought as well this would be overkill. I've used sessions before, so I don't have a problem using them at all. I think this would be the only place on this site there would be a session variable.

Is it very uncommon to use a sessoni variable on just one part of a site? I would only use it for one page, then probably kill the session after they left that page. Is that ok? Is this common at all?

@NightShift58Feb 05.2007 — #I don't know what common or uncommon is in this context. This forum is full of "common" problems with a "twist".

When you have a problem, you look at your options and pick the best one for your system. If you can redirect and prevent a page reload with POST data, that's an option.

I don't think that there's a hard and fast rule about the use of session variables for this or that particular type of use. It's a tool made available to you. Use it where it makes sense.

An other option, which I didn't mention earlier, would be to change your script logic such that it will intercept the potential duplicates resulting from a page refresh - which would mean querying the affected SQL tables and preventing duplicates.

Within your app, I don't know what would make more sense or what would be easier. That's your call to make.

@NapJun 23.2007 — #Here are two ways.

I'm not going to argue their merits, but they do work.

<i>
 </i>@ob_start();    // Start of Script
 .
 .
 Your code.
 .
 .
 @ob_end_clean();
 flush();
 ob_flush();	  <br/>
 header ("Location: url.php?comp=$tblprefix"."&amp;challenge=$_GET[challenge]");

What's happening here is the output buffer is flushed even though some output might have already been sent.

And another way:

I wanted my user to see a confirmation of their action then, after a short time, redirect them. I had to do it this way as a result of the way my application was designed.

echo "&lt;p class='text'&gt;Thank you! Information entered.&lt;/p&gt;";
 echo "&lt;br /&gt;&lt;br /&gt;Redirecting to MENU in 1 seconds.&lt;br /&gt;";
 echo '&lt;meta http-equiv="refresh" content="1;url=index.php?comp='.$tblprefix.'"&gt;';

The [b]1[/b] in [b]content="1;....[/b] indicates the number of seconds delay.

[b]url=[/b] points to the page you want it to go to.

Cheers,

Nap

Also in #PHP _↴

safe way to use $_GET?XML HTML namespace and DOCTYPE (Zend Cert)help in xampp dont know whts wrong

Success!

Help @jesseainskeep spread the word by sharing this article on Twitter...

Tweet This

Form into Database advice….

7 Comments(s) _↴

Also in #PHP _↴

Success!

Social

Version

Form into Database advice….

7 Comments(s) ↴

Also in #PHP ↴

Success!

The web is an endless sea of information. Don't miss the boat... Subscribe!

Social

Version

7 Comments(s) _↴

Also in #PHP _↴