Preventing a submission from being re-submitted upon refreshing a browser

Question

The code below all works great. On a file called submit.php, a user can enter a submission through a form. The form goes to submit2.php, where some code inserts the submission into a MySQL database. So far so good.

Here's the problem: once the user has landed on submit2.php, if the user refreshes the browser, a "Confirm Form Resubmission" pop-up box appears. Then, if the user hits "Continue" on that pop-up, the submission will be re-submitted to the MySQL database.

How can make it do the following on submit2.php:

1. The pop-up will not appear if the browser is refreshed.

2. The submission will not be re-submitted to the database.

Thanks in advance,

John

On submit.php:

echo '<form action="http://www.domain.com/sample/submit2.php" method="post"> 
    <input type="hidden" value="'.$_SESSION['loginid'].'" name="uid">  

    <div class="submissiontitle"><label for="title">Story Title:</label></div> 
    <div class="submissionfield"><input name="title" type="title" id="title" maxlength="1000"></div>  

    <div class="urltitle"><label for="url">Link:</label></div> 
    <div class="urlfield"><input name="url" type="text" id="url" maxlength="500"></div>

    <div class="submissionbutton"><input name="submit" type="submit" value="Submit"></div> 
</form>
';

On submit2.php:

if (isLoggedIn() == true)
{

$remove_array = array('http://www.', 'http://', 'https://', 'https://www.', 'www.');
$cleanurl = str_replace($remove_array, "", $_POST['url']);
$cleanurl = strtolower($cleanurl);
$cleanurl = preg_replace('/\/$/','',$cleanurl);
$cleanurl = stripslashes($cleanurl);

$title = $_POST['title'];
$uid = $_POST['uid'];
$title = mysql_real_escape_string($title);
$title = stripslashes($title);
$slug = str_replace(' ', '-', $title);

echo '-'.$site1.'-';

$cleanurl = mysql_real_escape_string(trim($cleanurl));

$site1 = 'http://' . $cleanurl;

$displayurl = parse_url($site1, PHP_URL_HOST);

function isURL($url1 = NULL) {
        if($url1==NULL) return false;

        $protocol = '(http://|https://)';
        $allowed = '[-a-z0-9]{1,63}';

        $regex = "^". $protocol . // must include the protocol
                         '(' . $allowed . '\.)'. // 1 or several sub domains with a max of 63 chars
                         '[a-z]' . '{2,6}'; // followed by a TLD
        if(eregi($regex, $url1)==true) return true;
        else return false;
}



if(isURL($site1)==true)
    mysql_query("INSERT INTO submission VALUES (NULL, '$uid', '$title', '$slug', '$cleanurl', '$displayurl', NULL)");
else
    echo "<p class=\"topicu\">Not a valid URL.</p>\n";

} else {
    // user is not loggedin
    show_loginform();
}

Answer 1

What the first answer/article is trying to describe is a method used by many websites/applications that solves the problem you are having.

The method works as follows:

First, you have a form page: info_form.php This is the page that will contain your form. It will submit this form data via POST to your second page.

Second, you have your data processing page: info_submit.php This page does nothing but process data and work with the database. No output is displayed to the browser at all. Once the data is processed and inserted into the database, this page redirects the user to your third page, sending any information needed via GET (i.e. Redirect: info_confirm.php?success=1)

Third, you have your confirmation page: info_confirm.php This page recieves any information about the submission process it needs from the second page through the query string via GET.

This means that the user never even notices that the second page exists. As far as they (and more importantly, the browser) are concerned, that second page doesn't exist. So when the user refreshes your third confirmation page, the only variables that are loaded are the GET vars and no information is resubmitted to your DB.

Answer 2

User the POST/Redirect/GET model.

http://www.andypemberton.com/engineering/the-post-redirect-get-pattern/