Page 1 of 1

How to stop users from resubmitting data after refresh?

Posted: Fri Aug 04, 2006 9:01 am
by hydroxide
Okay, I've got this page that users are sent to after they send money to me with paypal. It takes the $amount that paypal posts, and puts that into a database when the page is loaded. How can I stop users from simply refreshing over and over again to keep putting the money in the database?

This is what I've got doing the dirty work when they get redirected to the page.

Code: Select all

if ($is_banned == 0 && $ID_MEMBER != 0) {
	$update_ad_q = "UPDATE ad_credit SET credit = credit + '$amount' WHERE id = $ID_MEMBER";
	mysql_query($update_ad_q);
}

Posted: Fri Aug 04, 2006 9:14 am
by jayshields
How does it keep the $amount variable's value after the refresh? If it's simply a POST'd value it shouldn't exist after refreshing.

Posted: Fri Aug 04, 2006 9:19 am
by hydroxide
jayshields wrote:How does it keep the $amount variable's value after the refresh? If it's simply a POST'd value it shouldn't exist after refreshing.
I have no idea! I just hit refresh and it keeps on putting stuff in the database!

You can see the code in its entirety here: http://hashphp.org/pastebin?pid=7943 (115 lines)

Posted: Fri Aug 04, 2006 1:40 pm
by feyd
One-time use transaction IDs. I've talked about them in several threads recently so I'd rather not have to repeat it all.

Posted: Fri Aug 04, 2006 1:42 pm
by RobertGonzalez
At the very least, use a splash page that redirects so even if they refresh, it only refreshes a static HTML output page instead of something hitting the DB. This will not entirely prevent your issue (Feyd's suggestion will) but it will cause your users to have to do more work to do to you what they can easily do now.