CODEWITHSUNDEEP
javascriptphphtmlforms
mimi
mimi

Reputation: 365

PHP Prevent Re submission for multiple forms on same page

Hi have checked answer from this page: But it uses action="" is it vulnerable to XSS attacks? If yes then without such solution what are my options?

I tried using header redirect. But as I have 2 forms,(in some pages 4-5 forms) header re direction is not working for me with errors.

Here is my code: (Simplified)

1st form: works ok with a redirect.

<form name="ip_block" method="post" class="form-horizontal">
            <div class="form-group">
           <label class="control-label col-sm-2" for="ip"> Enter IP:</label>
            <div class="col-sm-8">
                <input type="text" name="ip" class="form-control" id="ip" />
          </div></div>
         <div class="form-group"> 
            <div class="col-sm-offset-2 col-sm-8">
            <button type="submit" class="btn btn-default" 
            name="ip_block_add">Submit</button>
               </div></div>
             </form> 
        <?php
          if(isset($_POST['ip'])){
              if($IP = filter_input(INPUT_POST, 'ip', 
                FILTER_SANITIZE_STRING)){
              $add_ip = $mysqli->prepare("INSERT INTO block_ip(b_ip) 
                VALUES(?)");
              $add_ip->bind_param("s",$IP);
              $add_ip->execute();
              $add_ip->store_result();
              $add_ip->close();
             header("refresh:5;url=./admin-security.php");// avoiding form 
                 resubmission
             echo 'Added successfully';
              }
              else {
                    echo 'failed to insert';
              }
          }
        ?>

Form 2:

 <form name="clear_data" method="post">
            <input type="hidden" name="data_clear" value="1"/>
            <button type="submit" class="btn btn-warning">Clean Data</button>
        </form>
                 <?php
              if(isset($_POST['data_clear'])){
              if($mysqli->query("CALL clear_old_data")){ 
              header("refresh:5;url=./admin-security.php");// avoiding form resubmission
              echo 'operation successfull'; 
              }   
       else
       {
         echo 'database failure';
          }
        }
      //----
    ?>

For Second form I get error like this

Warning: Cannot modify header information - headers already sent by

For 2nd form I am using header before echo still it doesn't work. reference, I tried with javascript too but that failed.

 echo "<script>setTimeout('window.location.href='./admin-
 security.php';',4000);</script>";

Updated with Dainis Abols idea: but form re submit option is still showing on page refresh

            <form name="clear_data" method="post">
            <input type="hidden" name="data_clear" value="1"/>
            <?php
               $var=111;
               $_SESSION['var']=$var;
               ?>
            <input type="hidden" value="<?php echo $var; ?>" name="varcheck" 
              />
            <button type="submit" class="btn btn-warning">Clean 
                  Data</button>
                   </form>
                 <?php
              if(isset($_POST['data_clear']) && 
            ($_POST['varcheck']==$_SESSION['var'])){
             // Some code
             }

Upvotes: 0

Views: 213

Answers (1)

Ylich
Ylich

Reputation: 70

I'd rather use ajax to send data to the database, without form submiting, and on success I would use js to redirect to /admin-security.php. In this case it's not possible to send the data twice.

Here is the PHP Code:

     <?php
      if(isset($_POST['ip'])){
          if($IP = filter_input(INPUT_POST, 'ip', 
            FILTER_SANITIZE_STRING)){
          $add_ip = $mysqli->prepare("INSERT INTO block_ip(b_ip) 
            VALUES(?)");
          $add_ip->bind_param("s",$IP);
          $add_ip->execute();
          $add_ip->store_result();
          $add_ip->close();
         echo 1;
          }
          else {
                echo 0;
          }
       exit;
      }
    ?>

HTML:

<div class="form-horizontal">
        <div class="form-group">
       <label class="control-label col-sm-2" for="ip"> Enter IP:</label>
        <div class="col-sm-8">
            <input type="text" name="ip" class="form-control" id="ip" />
      </div></div>
     <div class="form-group"> 
        <div class="col-sm-offset-2 col-sm-8">
       <button type="button" onClick="send_form()" class="btn btn-default" 
        >Submit</button>
           </div></div>
         </div>

And AJAX written with JQuery

<script>
function send_form() {
  $.ajax({
     url: "./admin-security.php",
     type: "POST",
     data: {
       ip: $("#ip").val()
     },
     success: function(response) {
          if(response==1) {
              alert("Done");
              location.href = "./admin-security.php";
          }
          else alert("Fail!");
      }
  });
 }

Upvotes: 1

Related Questions