PHP - Prevent Resubmitting Of Form On Refresh

Hey,

I have a Chat system which consists of a main page with 3 iframes situated within it:
iFrame 1 = the list of people in the Chat
iFrame 2 = the chat log, displaying the messages entered into the Chat
iFrame 3 = the form into which you enter your message and then click Submit so that your message is entered into the Chat log

Basically what I want is that, when you submit a message via iFrame 3, it refreshes iFrame 2, so you enter in a message and can then see the refreshed version of the chat log and therefore see your new message.

The problem is that I'm not sure how to get it so that submitting the form refreshes the iframe. Nor am I 100% sure whether you can refresh one iFrame from within another iFrame.

One solution to the second problem is to put the submission form (currently in iFrame 3) onto my main chat page which at the moment just contains the 3 iframes, but even then I don't know how to make submitting the form refresh the chat log!

Any help/advice would be appreciated

Thanks!

Hi All,

Is there any way that PHP can detect if a page has been refreshed? Basically I have a form that when submitted, inserts a row in to a database, but I am finding that when I refresh the page, it repeats the insert statement.

Any ideas?

Thanks
Matt

When I submitted my Form & refresh then browser resend all data again into database,
So anybody know any solution of this to avoid data resend after refreshing browser..

Hi all,

Thanks for reading.

I'm running a script using jQuery that auto-refreshes a <div> on the index page from an external PHP script to get all the rows in a database and display them on the index page. The script works great - here it is as follows:

Code: [Select]
<script type="text/javascript">

$(document).ready(function() {

$("#responsecontainer").fadeOut("fast").load("getrows.php").fadeIn("slow");

var refreshId = setInterval(function() {
$("#responsecontainer").fadeOut("fast").load('getrows.php').fadeIn("slow");
}, 5000);

$.ajaxSetup({ cache: false });

});

</script>

The getrows.php script I'm working with looks like this:

Code: [Select]
<?php 

$rowsQuery = mysql_query("SELECT * FROM Happenings WHERE HappeningDate='$today'");

if (mysql_num_rows($rowsQuery) == 0) {
$happeningsToday = "There are no happenings today.";
} else {

$allHappeningsToday = 1;

while ($getHappeningsToday = mysql_fetch_array($rowsQuery)) {

$happeningName = stripslashes($getHappeningsToday['HappeningName']);
$happeningDate = $getHappeningsToday['HappeningDate'];
$happeningDescription = $getHappeningsToday['HappeningDescription'];

if ($allHappeningsToday == 1) {

$happeningsToday .= "
<div class=\"box\">
<p>".$happeningName." | ".$happeningDate." | ".$happeningDescription."
</div>";

$allHappeningsToday = 2; 

} else { 

$happeningsToday .= "
<div class=\"box\">
<p>".$happeningName." | ".$happeningDate." | ".$happeningDescription."
</div>";

$allHappeningsToday = 1; 

}

}

}

echo $happeningsToday;

?>

This script works great as well.

Currently, the auto-refresh jQuery script as you can see if getting and fading in/out all of the rows.

Off of the above getrows.php script, is there a way after I could get only the newly created rows since the last refresh and only fade those in and out while leaving the others already loaded by the auto-refresh script to not fade in/out?

Any ideas, thoughts or suggestions would be unbelievably helpful.

Thank you very much.

Hello Guys,

Iam making a new ad serving script. In that site every publisher can register & they will get a url to serve ads. When a user click on that url the publisher will get earnings.
But my problem is someone using something like this <iframe src="http://my-site.com/adserve.php" width = "100" height = "100"></iframe> & it will helps to get earnings without clicking on that url.
I want to prevent this type of cheating & how it can be possible ??

I hope a expert will replay for me.

I am loading a link with ajax. When the link pops on the screen and I click it, I get redirected to my 404 page and my lightbox doesn't load.

If the link pops in and I refresh my browser, then I click the link my lightbox will show up.

How can I do a prevent default on the <a href> in pure JS? No frameworks please.

Is this a correct approach to prevent email injection?

$to: me@mydomain.com, myPartner@mydomain.com, $emailer;
//then the rest of the stuff.

$emailCheck = $_POST["emailer"];
if (eregi("(\r|\n)", $emailCheck)) {
die("Why ?? ");
}
mail($to, $subject, "", $headers);

Hi
is there any way we can prevent suppose <textarea></textarea> when page reload it refresh and set default text
i wanted to know is there any way to prevent certain things not to get refreshed  is there any method in php which prevent to reload  this !


<?php
echo  "<textarea > Enter your favorite quote!</textarea> \n" ;
Code: [Select]
if (isset($_GET['edit']) && $_GET['edit'] == 'textupdate'){
}
<a href= \"{$_SERVER['PHP_SELF']}?page=1&edit=textupdate \" >Click</a>?>

Will this prevent a SQL injection? I am guessing the answer is no because it is too simple.


// retrieve form data   ==========================================

$ama = $_POST['ama'];

// Check for alphanumeric characters =====================================

$string = "$ama";

$new_string = preg_replace("/[^a-zA-Z0-9\s]/", "", $string);

// echo $new_string;

// Send query ===========================================================

$query = "SELECT * FROM members WHERE ama='$new_string'";
if (!mysql_query($query)){
die('Error :' .mysql_error());
}

Based on the comments on my previous question, took some tutorials on how to avoid injections on query. Does the code below prevents against it in any way.? Secondly, can you recommend a good article that writes well in how to secure input data by users. Please be kind with your comments.😉😉. Thankks in advance.

The code works fine.
 

<?php 

include 'db.php';

error_reporting(E_ALL | E_WARNING | E_NOTICE);

ini_set('display_errors', TRUE);

 if(isset($_POST['submit']))

 {
    
 $username = $_POST['username']; 
$password =  ($_POST['password']); 

$sql = "SELECT * FROM customer WHERE username = ?";
$stmt = $connection->prepare($sql); 
$stmt->bind_param('s', $username);
$stmt->execute();
$result = $stmt->get_result();
$count =  $result->num_rows;
   if($count == 1) 
                         {
while ($row = $result->fetch_assoc())
 {
    if ($row['status'] == 'blocked')

 {

 echo'your account is suspended'


   session_destroy();

   exit();

  }

 else if($row['status'] == 'active')
{

if($username !== $row['username']) 

 { 
echo '<script>swal.fire("ERROR!!", " Username is not correct. Check Again", "error");</script>';
} 
if($password !== $row['password']) 
{
  echo'<script>swal.fire("ERROR!!!", "Your Password is Incorrect. Check Again.", "error");</script>';       
}
if($username == $row['username'] && $password == $row['password']) 
{ 
header('Location:cpanel/');
else
{
}
}//if count
}//while loop
}//submit
?>

 

As the title says, I would like to know how exactly CSRF can be 100% (or close to it) prevented.   One of the most recommended solutions is to create a token and insert it into a hidden field, but I've tested it on another domain and you can just do a cURL request and retrieve the token then make another request with it included.  Proof:  

<?php

    $ch = curl_init();

    curl_setopt($ch, CURLOPT_URL, "URL");

    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

    curl_setopt($ch, CURLOPT_TIMEOUT, 10);
 
    $response = curl_exec($ch);
 
    curl_close($ch);

    $exploded = explode('type="hidden" name="token" value="', $response);

    $token = substr($exploded[1], 0, 64);

    echo $token; // ebd9ab96d40bdb21bbaa2e1a18d657be2e413105ae86ecc14def6137f38a1571

?>

  I would hate to include captcha on all my forms, so how exactly does one prevent CSRF?

How can I prevent the less than and greater than signs in the username field, and message on the post?    As well as slashes. / \.

Code: [Select]
<form method="post" action="" id="reply">
<script type="text/javascript">
function hi(id){
var val = id.options[id.selectedIndex].value;
var text = id.options[id.selectedIndex].text;
if (val.length != 0){document.getElementById('user').value = text;hide('passrow');}
else {
document.getElementById('user').value = '';
document.getElementById('passrow').style.cssText = '';
}
}
</script>

<div id="userpass" style="background: #000;">
<table style="border: 2px solid #252564; background: #1F1F5D;" width="100%" cellpadding="0" class="quick_userpass">
<tr>
<td background="/images/bg3.jpg" height="26px"><font face=arial size=2 color="white">&nbsp;&nbsp;&nbsp;<b>Your Name or Nickname</b></td>
</tr>
<tr>
<td><input size=50 name="user" id="user" value="" style="margin-left: 10px;"></td>
</tr>
<tr><td background="/images/bg3.jpg" height=26px></td></tr>
</table>

<div id="passrow" style="">
<p>
<table width=100% cellpadding=0 class="quick_userpass" style="border: 2px solid #252564; background: #1F1F5D;">
<tr><td background="/images/bg3.jpg" height=26px style=""><font face=arial size=2 color="white">&nbsp;&nbsp;&nbsp;<b>Password (optional)</b></td></tr>
<tr><td style=""><input size=50 name="pass" id="pass" type="password" style="margin-left: 10px;"  value=""></td></tr>
<tr><td background="/images/bg3.jpg" height=26px></td></tr>
</table>
</p>
</div>

<p>
<table width=100% cellspacing=0 cellpadding=4 class="quick_userpass" style="border: 2px solid #252564; background: #1F1F5D;">
<tr bgcolor="#121236"><td><font face=arial size=2 color="white"><b>Enter your message here</b></font></td></tr>
<tr><td><center><textarea id="quickreply" name="message" rows=10 cols=50 wrap="VIRTUAL" ></textarea></center></td></tr>
</table>
<div id="preview" style="display: none;"></div>
</p>
<br />
<center>
<font face=arial size=2>When you're happy with your message, click:</font>
<div id="javano"><input type="submit" value=" Post Message "></div>
</center>
<input type="hidden" name="tid" value="<?php echo $_GET["tid"];?>" />
</div>
</form>

That is the code I'm using for User/Pass/message fields.

Hello all,

A simple question:

I have a HTML application from which a php script is executed. 'GET' method is used and no form is submitted.
I was wondering if there is a way to prevent users from run this php script directly in the browser.

Thank you all for your suggestions,
Mamer

I have a problem which is why I am here. 

What I am trying to achieve

I am creating a very very basic timetabling system online, using php and sql. I am still in the process of completing it and changing bits from here to there. Although I am fully aware that the current design / implementation needs several changes and amendments, but however it performs most of the basic functionalities from a login system to the ability to add data delete data and also reset the database and recreate.


The problem

I have a table called tCourse althouogh a full ERD implementation has not taken place, it is still trial and error period.

The table consists of the following:

- Course
- Unit
- Course_Code
- Year (i.e. Yr1, Yr2, Yr3)
- Credits (Value of the unit)
- Day
- Semester
- Start_Time
- End_Time
- Room
- Tutor

At the moment the primary keys for the table a  

- Day
- Start_Time
- Room_   
- Semester

This basically prevents a particular day, a semester, a room having been booked at the same time. Which for a very basic one is ok. The only problem is though,

if someone books for example:

Monday >> 13:00:00 To 14:00:00 >> 205 >> Sem1 (ok)
Monday >> 13:00:00 To 14:00:00 >> 205 >> Sem1 (Not ok, which is good, as it is a repeat and prevents double booking)

However the problem comes he


Monday >> 12:00:00 To 14:00:00 >> 205 >> Sem1 (ok)
So this is allowing a booking even though that room will be busy i.e. booked between 13:00 to 14:00

So is there a way I can limit it, so if there is a room booked for that particular period it will not do it.

I have done a bit of research and friend's have suggested doind several for loops and quering the database beforehand. I came here, mainly because there are a lot of experienced individuals here whom may have a simpler solution, although I can understand it won't be a one liner .

I would appreciate any help, if not, it is still ok.