1

I am developing a web application where I want to restrict update or insert more than once by navigating back to referring page. Let me present you three model files in the order of flow so that I can raise the zone where I am stuck.

  • register.html

            <html>
        ...
        <form id="form1" name="form1" method="post" action="process.php">
          <label for="textfield">Name</label>
          <input type="text" name="name" id="name" />
          <input type="submit" name="Submit" value="Submit" />
        </form>
        ...
        </html>

  • process.php

            <?php
        echo "Welcome ".$_GET['para'];
        ?>

  • success.php

            <?php
        if(isset($_POST['Submit']))
        {
        $name = $_POST['name'];

        // some database update here ...

        echo "<a href='success.php?para=$name'>Done. Click to go next</a>";
        unset($_POST['Submit']);
        }else{
        echo "Error in submission";
        }
        ?>

The above three files are very simple. Here the update part has nothing to do when the user hits the back button after landing on page success.php because of unset($_POST['Submit']);. But when the user goes back further by hitting the back button again it reaches register.html and can again come up with the $_POST['Submit'] set and may do the update part which is sometimes vulnerable. I know there is Post/Redirect/Get to solve this issue, but I want some other alternatives so that the part gatekeepering the update part may be made so efficient that it would not allow the same anymore by clicking the back button.

samlancer
  • 141
  • 2
  • 13

1 Answers1

2

If you are getting duplicate records inserted.

  1. You may try INSERT IGNORE

  2. ADD UNIQUE INDEX to your table to prevent this happening

    you may choose any one of INSERT IGNORE and REPLACE according to the duplicate-handling behavior

Refer https://dev.mysql.com/doc/refman/5.5/en/insert-on-duplicate.html

  1. Lastly you may like simple php with mysqli_num_rows()

    $sql = "SELECT id FROM table-name WHERE column-name1 = ? AND column-name2 = ? ;
$mq = mysqli_query($sql);

if (mysqli_num_rows($mq) < 1) {
     $sql = "UPDATE table-name SET (colum-names) VALUES (...)";
     mysqli_query($sql);    
else {
     echo "Record already updated";
     }     
}
mysqlrockstar
  • 2,536
  • 1
  • 19
  • 36
  • 1
    mysql_* functions are being deprecated. Abstain from posting samples with these functions to help the community migrate to PDO or mysqli http://stackoverflow.com/questions/16859477/why-are-phps-mysql-functions-deprecated – Tek Apr 13 '15 at 19:06
  • That's ok. I shall use PDO, but I must confess that, I don't want to allow update by the user due to my programming flaw. In my application, there are updates several times in different pages but that is programmed by me so no problem. – samlancer Apr 14 '15 at 05:02