Page 1 of 1

ie6 + php 5.1.2 send submit twice

Posted: Tue Oct 24, 2006 6:02 am
by vanderlay
Hello

I have an unusal problem that has taken me four days to hunt down with ie6 and PHP 5.1.2 on a shared host linux sever.

When I test the code locally on wamp 5.1.6 xp sp2 the code works as expected, however upload the code
and bizzaro world takes hold.

also note FF 1.5.0.7 works as expected on both local and shared sever.

so here is the problem, when an onclick form is processed from my page ie6 submits it and php calls the inject script correctly, then when the pages exits to display the success page it sends the form again.

----------
page logic

code below
basic_tmp.php = on first pass call form page (basic_tmp1.php)

basic_tmp1.php = on form submit action calls basic_tmp.php (above)

basic_tmp.php = if succesfull $_POST call inject script add_pge.php

add_pge.php = inject and iff successfull loop back to basic_tmp.php

basic_tmp.php = if inject successfull call second form page basic_tmp2.php
----------


on the inject page I have set a $_SESSION var from the mysql_insert_id (), so when the pages loops with a success message it will not inject the data again. However this var is not checked on the first submit (onclick call) inject as the orginal form page has not yet exited, so when the page does eventually exit ( sleep(15) ) a second inject is done.

hope that makes sense,
here is the code with a sleep function I used to test where in the system the duplicate inject call was coming from and sure enough the first db inject is instant and the form page holds on the screen, then 15seconds later the page changes (expected behaviour) and a second db inject occurs. The var is set so no further loops happen (expected).

basic_tmp.php

Code: Select all

<?php session_start();   ?>

<?php
// *=*=*= this ipage is basic_tmp.php
if (isset($_SESSION['valid_user']))
{

sleep(15);

// *=*=*= this is the inject page
if (isset($_SESSION['loopcre_99']))
	{
	require $_SERVER["DOCUMENT_ROOT"].'/data/create/npge/add_pge.php';
	}

if (isset($_SESSION['success_901']))
	{
	require $_SERVER["DOCUMENT_ROOT"].'/data/create/npge/basic_tmp2.php';
	}	
	
// *=*=*= this is the form page
//if (!isset($_SESSION['loopcre_1']))
	{
	require $_SERVER["DOCUMENT_ROOT"].'/data/create/npge/basic_tmp1.php';
	}

}

?>
basic_tmp1.php -> form page

Code: Select all

<<?php session_start();   ?>
<script language="JavaScript">
function sub1()
{
document.1.submit();

}
</script>

<?php 
if (isset($_SESSION['valid_user']))
{
//deregister mysql inject
$_SESSION['lastidcheck'] = NULL;
unset($_SESSION['lastidcheck']); 
unset($lastidcheck);

$table_402 = "mnus";
$_SESSION['table_402'] = $table_402;
$table_403 = "pge";
$_SESSION['table_403'] = $table_403;

mysql_select_db($database_amf, $amfdb1);
  	$query_xx402 =  "SELECT * FROM `$table_402`"; 
	$recset_402 = mysql_query($query_xx402, $amfdb1) or die(mysql_error());
	$query_xx403 =  "SELECT * FROM `$table_403`"; 
	$recset_403 = mysql_query($query_xx403, $amfdb1) or die(mysql_error());


//start form
echo "<form name=\"1\" method=\"post\" action=\"/data/admin_main.php\">";
echo "<input  type =\"hidden\" name=\"loopcre_1\" value=\"yes\">";
echo "<input  type =\"hidden\" name=\"loopcre_99\" value=\"yes\">";

echo "<table width=\"75%\"  border=\"0\" bgcolor=\"#CCCCCC\">";
echo "<tr><td width=\"100%\" align=\"center\">Create New Page - page 1</td></tr>";
echo "<table width=\"75%\"  border=\"1\" bgcolor=\"#CCCCCC\">";
//line page title
echo "<tr><td width=\"15%\">Page Title</td>";
echo "<td width=\"60%\"><input name=\"pages_ttl\" type=\"text\" size=\"25\"></td></tr>"; 
//line description
echo "<tr><td width=\"15%\">Description</td>";
echo "<td width=\"60%\"><input name=\"pages_des\" type=\"text\" size=\"80\"></td></tr>"; 
//line 3
echo "<tr><td width=\"15%\">This page will be linked from</td>";
echo "<td width=\"60%\">";
echo "<select name=\"pageslfrm\">";	
echo "<option size=30 selected value=\"blank\">Please Select</option>";
while ($recrow_402 = mysql_fetch_assoc($recset_402))
{
$pf402_val = $recrow_402["mnus_id"];
$pf402_nme = $recrow_402["mnus_munme"];
echo "<option name\"pages_lfrm\" value=\"$pf402_nme\">$pf402_nme</option>/n";
}
echo "</select>";
echo "</td></tr>";
echo "<tr><td width=\"1%\"></td><td width\"75%\" align=\"right\"><input type=\"image\"  src=\"".'/gpx/next_up.gif'."\" onClick=\"javascript: sub1();\"></td></tr>";
echo "</table>";
}
?>
inj_data.php

Code: Select all

<?php
session_start();
if (isset($_SESSION['valid_user']))
{


if (!isset($lastidcheck))
		{
		
		$insdata = "INSERT INTO `$insertdata` (".$_SESSION['insdatafrm1b'].") values (".$_SESSION['insdatafrm2c'].")";
		$insdata5=mysql_query($insdata);
		
			
		if (isset($insdata5))
			{
			//set record number
			$lastidcheck = mysql_insert_id ();
			$_SESSION['lastidcheck'] = $lastidcheck;
			$success_901 = "yes";
			$_SESSION['success_901'] = $success_901;
			$success_902 = "yes";
			$_SESSION['success_902'] = $success_902;
			$_SESSION['clrstrip'] = "#03b121";
			require $_SERVER["DOCUMENT_ROOT"].'/data/create/npge/success.php';
						
			//added form so disable
			$_SESSION['loopcre_99'] = NULL;
			unset($_SESSION['loopcre_99']); 
			unset($loopcre_99);
			
			$_SESSION['loopcre_1'] = NULL;
			unset($_SESSION['loopcre_1']); 
			unset($loopcre_1);
			
			
			
			
			}
			else
			{
			echo "<table width=\"85%\" border=\"0\">";
			echo  "<tr bgcolor=\"#ff0000\"> ";
			echo  "<td align=\"center\"><font face=\"Verdana, Arial, Helvetica, sans-serif\" size=\"-1\" color=\"#ECFB3A\">An error has occured <font color=\"#FFFFFF\">\"".mysql_error()."\"<font color=\"#ECFB3A\"> please try again. (inj_d)</font></td>";
			echo  "</tr>";
			echo  "</table>";
			}
		}

}
?>
thx
Art :(

Posted: Tue Oct 24, 2006 7:54 am
by printf
If you have a onclick event in a submit type event then it's going to do what the onclick points to first (document.1.submit();), then submit the form again because a input type='image' is a submit type HTTP form event, I hate to admit it, but IE has it right. Use just a HREF tag surrounded by your image, if you must use the onclick event function. But it's not needed in this case (your only calling a submit in your javascript onclick event function), so why even use it!

pif!

Posted: Tue Oct 24, 2006 5:52 pm
by vanderlay
thx pfif!

easy stuff allways get you caught!
now just gotta figure out how toget four days of my life back!

thx again
Art