how to avoid Form Re submission in php

Question

I have a form in dashboard.php to create invoice and this is submitted to invoice.php

Now my invoice.php inserts the Invoice and the customer into the database and then shows me a invoice order filling form.

if i refresh this page, it inserts a new invoice for the same customer, how do i avoid this.

I was reading that we could avoid it by redirection, but in my case how do i use it. Some thing like a PRG(post/redirect/get) how to use it?

Do i need to make an intermediate page before going to insert items to invoice

Answer 1

Here is an example code for you:

# database.php
$db = new PDO("mysql:host=$host;dbname=$dbname", $user, $pass);
session_start();

# dashboard.php
require_once("database.php");

function getSavedValue() {
    global $db;
    $sql = "SELECT input_text FROM temp_table WHERE sess_key='?'";
    $query = $db->prepare($sql);
    $query->bindParam(session_id());
    $query->execute();
    if ($query->rowCount() == 1)
        return $query->fetch();
    else
        return " ";
}

<form action="invoice.php" method="POST">
  <input type="text" name="getThisInfo" value="<?php echo getSavedValue(); ?>"/>
  <input type="submit" value="Send"/>
</form>

# invoice.php
if (isset($_POST["getThisInfo"]) && /* validation check */ 1) {
    require_once("database.php");
    $textInput = $_POST["getThisInfo"];
    $sql = "INSERT INTO perm_table(invoice_info) VALUES('?');";
    $query = $db->prepare($sql);
    $query->bindParam($textInput);
    $query->execute();
    $rows = $query->rowCount();
    echo "$rows invoices were inserted.";
    unset($_POST["getThisInfo"]);
    header("success.php");
} else {
    header("dashboard.php");
}

Answer 2

Let dashboard.php post the form data to insert.php, which will process the data and then forward to invoice.php. Use sessions to transport the data from one file to another. Here is insert.php:

<?php

session_start();

if (session_is_registered("invoiceVars"))
    session_unregister("invoiceVars");

if (!session_is_registered("errors"))
    session_register("errors");

$errors = array();

if (!session_is_registered("formVars"))
    session_register("formVars");

foreach($_POST as $f_varname => $f_value)
    $formVars[$varname] = trim(EscapeShellCmd(stripslashes($value)));

// process your data and write it to the database or return to dashboard.php with errors, then:

session_unregister("errors");

session_register("invoiceVars");

$invoiceVars = array();
foreach ($formVars as $i_varname => $i_value)
    $invoiceVars[$i_varname] = $i_value;

session_unregister("formVars");

// add additional variables
$invoiceVars["coupon"] = 'unique_coupon_code';

// invoice.php will process the data and display it
// it has session_start(); at the top, to have $invoiceVars available
header('Location: invoice.php');
exit();

?>

header(); and exit(); will flush $_POST, so it is no longer available when the user hits back on his browser.

Answer 3

after successful form submission do a redirect to the same page and optionally indicate that the submission was successful

Example: invoice.php

if (count($_POST)) {

    if (/*post data is valid*/) {

        /*do whatever is needed*/
        header('Location: invoice.php?success');
    }
} else if (isset($_GET['success'])) {

     echo "Form successfuly submitted";
}

Answer 4

The pattern you've heard about is this: Post/Redirect/Get. In general, POST is for actions, GET is for views. So you never show a user a page on a POST request. Instead, you redirect them to a page they'll request with GET, which will not cause any changes in your database.