Reload Problem, user tend to submit data twice

[eluser]obiron2[/eluser]
but in that example you are not creating a unique database record. If it were a user registration form and the form was processes sucessfully and then the user hits F5 to refresh the page, the $_POST data will be re-submitted and unless you have uniqueness checks turned on in your database or validate for the hidden field you will repost the data.

I have thought of a solution but not tried it yet.

If you open the form URL with target="_new" it will open in a new window. If the data is sucessfully submitted you should be able to call a js script as part of the onLoad() function to $this.window.close()

(Don't quote me on the syntax...)

This way the window will shut itself down when successful and the $_POST will be destroyed.

Obiron

[eluser]Référencement Google[/eluser]
This is what I would do:

- Each form load generate a random ID
- Each submited form put this form ID in a DB field (was suggested by Xwero in #5)

Then you can do something like:

if (form ID exists in the DB)
{
Show error form already submited
}
else
{
Process the form
}

[eluser]Pygon[/eluser]
[quote author="elitemedia" date="1193763922"]This is what I would do:

- Each form load generate a random ID
- Each submited form put this form ID in a DB field (was suggested by Xwero in #5)

Then you can do something like:

if (form ID exists in the DB)
{
Show error form already submited
}
else
{
Process the form
}[/quote]

If you generate a random number every time the form loads, when the form is submitted again it will always have a different number (until you generate a random number that has been used previously). md5(microtime()) could avoid that, but again, new number for every form.

I'm not quite sure why you aren't just checking the DB to verify that the same information hasn't already been submitted.

For example, if you require an email, query the database for that email -- if it exists, that user has already submitted the form, if not, add it to the database.

There are always down sides to ways of limiting forms, for example:

Session variable to prevent re-submit.
- Is removed once browser is closed (they can return and resubmit).

Cookie to prevent re-submit
- Cookies can be off or removed.

Limit by IP Address
- Multiple users behind a router (companies or home) share same IP. Dial-up or semi-static ips can be re-assigned to a user who has not submitted the form.

The best way is going to be to require some sort of personally identifiable information (email), ofcourse this can be spoofed.

All in all, there is no fool-proof way. There is the same problem in trying to get accurate user statistics.

[eluser]Rick Jolly[/eluser]
Pygon: I think you're missing the point. The problem is when a user inadvertently resubmits the form when refreshing the page or using the back button. Elitemedia's suggestion of a token works well to detect that because the form data is the same - including the token.

[eluser]worchyld[/eluser]
A unique token does not solve this problem. Every time you submit the form the unique token is always the same!

Code:

<?php
/* This code is not intended to be used on a live site */
session_start();

$unique_code = md5(microtime());

if (empty($_POST)) {
    $_SESSION['unique_code'] = $unique_code;
}

print "POSTED: <br />";
print_r($_POST);
print '<br /><br />SESSION: <br />';
print_r($_SESSION);
?&gt;

&lt;form name="testForm" method="post" action="&lt;?=$_SERVER['PHP_SELF'];?&gt;"&gt;

<p>
    &lt;input type="text" name="name" id="name" value="" /&gt;<br />
    &lt;input type="text" name="unique_code" id="unique_code" value="&lt;?=$unique_code;?&gt;" /&gt;
</p>

<p>
    &lt;input type="submit" /&gt;
</p>

&lt;/form&gt;

[eluser]Rick Jolly[/eluser]
[quote author="worchyld" date="1193789054"]Every time you submit the form the unique token is always the same!
[/quote]
That is the point.

[eluser]Pygon[/eluser]
If dup on f5 is the only concern, why not just:

Code:

if( empty($_SESSION['submitted']) )
{
   //process form.
   $_SESSION['submitted'] = 1;
} else {
   //Ignore submit
}

I see absolutely no reason to waste DB queries on this.

[eluser]Rick Jolly[/eluser]
[quote author="Pygon" date="1193793541"]If dup on f5 is the only concern, why not just:

Code:

if( empty($_SESSION['submitted']) )
{
   //process form.
   $_SESSION['submitted'] = 1;
} else {
   //Ignore submit
}

I see absolutely no reason to waste DB queries on this.[/quote]
Depending on your needs, that would work. However, what if a user wanted to submit the same form with different data? The first example that comes to mind: an admin user inputting a number of users with the same form. Using your code, that wouldn't be possible. The unique token elimnates duplicate submissions from cached form input. In addition, with the token you wouldn't have to use the session - although you could.

[eluser]ImageSmith[/eluser]
If I can throw my 5 cents worth in here, I have been looking for a similar solution to what iive seeks but for a different reason.
Form resubmission can be a real hassle, esp if it is for something like a credit card txn. There is a real need to save the general public from themselves (eg using back button, F5, etc when submitting forms)
The previous discussion about unique tokens in forms is generally on the right track IMHO.
The logic and application as I see it would go something like this in the form loading method:

Code:

if ($this->ci->validation->run() == FALSE) {
  $this->ci->load->view('some_form_view');
  $form_token = array('form_token'=>'some_generated_uid');
  $this->ci->session->set_userdata($form_token);
}
else {
  if (!$this->ci->session->userdata('form_token')) {
    $this->ci->load->view('some_form_view');
  }
  else {
    // do whatever processing is required
    
    // then
    $this->ci->session->unset_userdata('form_token');
    // maybe kill off $_POST data as well
    $_POST = array();
  }
}

This ought to prevent resubmission of validated data by a user.
The other benefit of this approach will be prevention of auto form spamming (this is the original solution that I was after) as the posted data will have no accompanying session token.
Anyone see fundamental flaws in this that I have missed?

[eluser]Negligence[/eluser]
Use redirects (header() or CI's implementation). It's simple, it's one line, and it's foolproof. Don't mess around with tokens, ID's, etc. -- it's unnecessary work and code for the same result.