Page 1 of 1

Data insertion after page refresh

Posted: Tue May 10, 2011 5:25 am
by ishakya
Hi,
:D
I have php page call add_agent.php which is used to insert data into a mysql database.
after inserting data row,if i refresh the page, that previous data row will be resend to that database table.
Why is that happening?.is there any way to avoid that?
:banghead:

I anyone can help me to figure this out,it will be very grateful.

Thanks in advance... : :

Re: Data insertion after page refresh

Posted: Tue May 10, 2011 8:31 am
by oscardog
After inserting the data, so after the mysql_query() line, set a header() to another page. Then the page cannot be refreshed with the data posted to it.

Re: Data insertion after page refresh

Posted: Tue May 10, 2011 10:37 am
by flying_circus
What you're dealing with is a replay attack and a nonce is usually the best way to handle it.

A basic implementation would be something like this:
- On your user form page, generate a token.
- Put the token in a user session and also in a hidden field on the form
- On the PHP side, compare the $_POST token to the $_SESSION token.
- If they match, delete the token from the session, process the request, and go on from there.
- If they hit refresh (or back), there will no longer be a token in the session, so the comparison will fail, and the request will not be handled.