1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 5:58 pm May 21, 2026

Forum Moderators: coopster

Message Too Old, No Replies

Preventing Double submit on refresh/back

         

Marked

9:41 am on May 13, 2010 (gmt 0)

10+ Year Member



Hi all,

I'm trying to correct the issue of double submit in my script. I have done a bit of googling, but most solutions that i have found arn't quite what im looking for...

In my script, i have something like the following (on a single page):
if(isset($_POST['hidden_field']))
{
execute some code when the form is submitted
}

<form method="POST" action="">
<input type="hidden" value="hidden_field" name="hidden_field"/>
</form>

So basically the form and code when the form is submitted are in the same file. A quick example of what is happening is when you add or delete a certain item via the form, if you click back on the browser or refresh the page it tries to submit again. This is the double submit problem.

In my searches i mostly found scripts to disable buttons, but this didnt work. What i want to happen is when you submit the form, and the page reloads, it no longer tried to submit again when the page is refreshed or the back button is clicked. I heard the best way to do this is by redirect and changing POST to GET.

Does anyone know how i can go about getting this working?

Thanks in advance,
Mark.

Matthew1980

10:36 am on May 13, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Hi there Marked,

HTML code:-

<form method="POST" action="">
<input type="submit" value="Submit" name="submit"/>
</form>

PHP code:-

<?php
if(isset($_POST['submit']) && ($_POST['submit'] == "Submit"))
{
execute some code when the form is submitted
}

This is what I use, and I haven't had a 'double submit' yet. Ie check the value of the key, then process.

Changing $_POST to $_GET is only good if you create the vars and pass them in the URL, $_POST is from the form submitted data.

I suppose there is some fancy js out there that would disable the submit button when it is actioned, but I have never tried this method.

Hope this helps..

Cheers,
MRb

londrum

10:50 am on May 13, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



another easy way is just to put a short-lived cookie on their system when they submit (just a couple of minutes will probably do)
if you check for the existance of that cookie everytime someone new submits, then you will know whether to throw an error.

webizarre

11:23 am on May 13, 2010 (gmt 0)

10+ Year Member



You can redirect the user to other page after submitting the form once. Here is the code you can use in mail configuration:


$Redirect_URL="http://www...";


This can be used to avoid second hits.

jatar_k

4:50 pm on May 13, 2010 (gmt 0)

WebmasterWorld Administrator 10+ Year Member



scripts shouldn't post to themselves

post to a processing script that has no output

on error reinclude the form
on success redirect to a success page

Matthew1980

7:51 am on May 14, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Hi there jatar_k,

I should have been clear about that really, posting to a dedicated php file or class enables you to handle things better, but you can still do error checking and blank submissions from posting to 'itself'.

I think though setting in place a dedicated form handler is just better practise, from there you can handle all exceptions. Just my opinion there, there may be better options that I haven't encountered yet ;)

Cheers,
MRb

mooger35

6:37 pm on May 14, 2010 (gmt 0)

10+ Year Member



What I've been using recently is a jquery pop up window that uses ajax to post the form to a processing page and then returns either "success" or an error message (or messages). If success a notification of the fact pops up and then the jquery window gets automatically closed half a second later. If error message(s) then notification of what went wrong occurs.

Any reason this way of doing things would be a horrible idea?

Marked

9:57 am on May 15, 2010 (gmt 0)

10+ Year Member



Thanks for all your replies :)

For my script there is no need for an error message system, because I use javascript to ensure the form is filled out correctly.

Ok, what I did was create this function:
function doRedirect($url)
{
header('Location: '.$url);
}

And then:
if(isset($_POST['hidden_field']))
{
//run code

doRedirect($_SERVER['REQUEST_URI']);
exit();

}


It works pretty well. However does not work when the user tries to go back. At the moment though I'm pretty satsified with this system. :)

brotherhood of LAN

10:02 am on May 15, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



there is no need for an error message system, because I use javascript


It would be recommended to also validate the form server-side as well as client-side.

Client-side validation saves the hassle of page reloads, but ultimately server-side validation ensures that the data is truly valid.

Matthew1980

10:37 am on May 15, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Hi there marked,

To add onto brotherhoodoflans point, not all people have js enabled, so for user/cross platform compatibility it would be preferable to use the php validation as its server side and not client side.

Cheers,
MRb

rocknbil

4:57 pm on May 15, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



not all people have js enabled


Two cents on that . . . in cases of user input, it's not so much your users (which is important on it's own) but that those who would abuse your site do so from command line apps without even touching the form. They completely circumnavigate the form with a post directly to your script. In such cases they can inject data you wouldn't expect.

Matthew1980

5:07 pm on May 15, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Hi there Marked,

And then:
if(isset($_POST['hidden_field']) && ($_POST['hidden_field'] == "hidden_field"))
{
//run code

doRedirect($_SERVER['REQUEST_URI']);
exit();

}



Ok, so your checking the key, at least check the value of the key to see if it is what it should be, after all it could be set, but with a completely different value from what you assigned to it, kinda like rocknbil suggests :)

I find that checking both value and key is better as you can then direct the script accordingly, and as jatar_k says, keep the files seperate, or direct to a dedicated file so that you can then show the user something else after they have posted, or redirect back to the same page if an error arises ie: blank field; illegal data etc, etc.

Hope this helps ;)

Cheers,
MRb

Readie

6:39 pm on May 15, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member 



&& ($_POST['hidden_field'] == "hidden_field")

I'm pretty sure that a string "is equal to" 0 - so the "is identical to" comparison should be used here, to prevent users doing any damage during an injection attempt, or exposing any vulnerabilities: 

&& ($_POST['hidden_field'] [b]===[/b] "hidden_field")

Just to be safe :)

arvind gupta

6:58 am on May 18, 2010 (gmt 0)

10+ Year Member



I generally tend to use a random key to stop multiple form submission. For eaxmple: 

<?php
session_start();

// Process form
if(isset($_GET['submit']) && $_GET['key'] == $_SESSION['key'])
{
// Process
 echo 'processed';
}
else {
 echo 'not prcoessed';
}
?>

<?php
$_SESSION['key'] = mt_rand(1, 1000);
?>
<!-- Form -->
<form action="" method="get">
<input type="hidden" name="key" value="<?php echo $_SESSION['key'] ?>" />
<input type="submit" name="submit" value="Submit" />
</form>


Hope this helps!
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 5:58 pm May 21, 2026