2

I noticed that PHP has been inserting the same data twice, even with a simple query, below is my index file:

<?php
require("constants.php"); //contains database settings
$database = new PDO("$type:host=$host;dbname=$name", $user, $pass); 
$query = $database->prepare('INSERT into test (test) VALUES (?)');
$query->execute(array(rand()));
echo $database->lastInsertId();

The test table has an auto increment column id and a varchar column test. I'm using WAMP to run PHP and mysql.

Each request to the page inserts two entries with different values (from the rand() call). Only the first insert id is echoed. This behaviour is the same for Chrome, Firefox and IE.

It's caused by a rewrite rule:

RewriteEngine on
RewriteRule .* index.php

I'm assuming there's a file like robots.txt or favicon.ico which is requested transparently.

peterjwest
  • 4,294
  • 2
  • 33
  • 46
  • is the PHP Page called straight away, or is it being fetched through Javascript or something else? Possibly javascript is making the request twice and you need a `return(false);` somewhere. – Dutchie432 Feb 15 '11 at 19:06
  • The page is called directly, it's the index file. – peterjwest Feb 15 '11 at 19:07
  • Could be run twice if you hit `example.com/somedir`, which then directs to `example.com/somedir/index.php` – Marc B Feb 15 '11 at 19:12
  • The only things I could think of are an apache configuration that emulates what @Marc B describes or something double dipping further down the stack. Can you post more of the code in its context? What kind of data is it handling? – DeaconDesperado Feb 15 '11 at 19:14
  • Do you have any kind of rewrite/errordocument rules that could redirect to index.php? Could it be the page/browser trying to load a different resource (favicon, etc...) being redirect to index? – Damp Feb 15 '11 at 19:15
  • @Damp - bingo - would upvote - post as an answer, maybe? – DeaconDesperado Feb 15 '11 at 19:17

2 Answers2

2

Do you have any kind of rewrite/errordocument rules that could redirect to index.php? Could it be the page/browser trying to load a different resource (favicon, etc...) being redirect to index?

Damp
  • 3,328
  • 20
  • 19
  • Yes, see the post. Which resources are loaded with each request? – peterjwest Feb 15 '11 at 19:19
  • Probably favicon. If you have access to your logs, you can probably see it in the apache access log. Otherwise, you could always append the dump of the http requests in a file on your server to see what's accessed. – Damp Feb 15 '11 at 19:21
1

You should be using a form token/nonce to prevent this and reply-attacks.

http://www.phpro.org/tutorials/Preventing-Multiple-Submits.html

Xeoncross
  • 55,620
  • 80
  • 262
  • 364