How to prevent form resubmission

Forms that can be accidentally, or maliciously submitted multiple times can cause havoc with your online application. Resubmits can happen for many reasons, mainly through page refreshing, back button navigation and multiple button clicks. Fortunately there are a number of ways to prevent these actions from resubmitting a form.

Disabling the submit button. Disabling the button after the user has clicked it prevents the user from clicking it multiple times thus prevents the form from submitting multiple times. It is a very simple fix but does rely on the user having javascript enabled on their browse.



 <form method="post" name="myform" action="submit.php">
      <input type="text" name="data" value="" />
      <input type="submit" onclick="this.disabled=true;">
 </form>
  

Using Javascript redirection. Using javascript to redirect the user to a different page after submission takes the original submission destination page out of the browser history so the user cannot refresh it or navigate back to it. This is a slightly more complex method and requires javascript and a server side scripting language such as php, coldfusion etc.


<?php
    // do whatever we need to do to the data
    add_data_to_database($_POST);
    if (isset($_POST["data"])){
    ?>
      <script type="text/javascript">
      <!–
      window.location = "sumbit.php";
      //–>
      </script>
  <?php } ?>
  <b>Thankyou</b>
  

Using sessions. Using sessions to track form submissions prevents resubmission from back buttons and refreshes. It puts an md5 variable into the form and upon submission it puts this into the user session. If the form gets resubmitted and the session variable is found then the data does not get processed.


  <form method="post" name="myform" action="submit.php">
    <input type="text" name="data" value="" />
    <input type="hidden" name="myform_key" value="<?php echo md5("CrazyFrogBros"); ?>" />
    <input type="submit" onclick="this.disabled=true;">
  </form>   
  <?php 

    // do whatever we need to do to the data
    $is_new_post = true;
    // is a previous session set for this form and is the form being posted
    if (isset($_SESSION["myform_key"]) && isset($_POST["myform_key"])) { 
      // is the form posted and do the keys match
      if($_POST["myform_key"] == $_SESSION["myform_key"] ){
        $is_new_post = false;
      } 
    }
     if($is_new_post){
      // register the session key variable
      $_SESSION["myform_key"] = $_POST["myform_key"];
      // do what ya gotta do
      add_data_to_database($_POST);
    }   
  ?>
  <b>Form submitted</b>
  

Using database persistance. Using database persistance is a slight extension to the session method. It again puts an md5 variable into the form and upon submission it puts this into a database table. If the form gets resubmitted and the variable is found in the database then the data does not get processed. The outline for this method below relies on a few user defined function (you will have to build one that suits you) to add the keys and check the keys in the databsase.


  <form method="post" name="myform" action="submit.php">
    <input type="text" name="data" value="" />
    <input type="hidden" name="myform_key" value="<?php echo md5("CrazyFrogBros"); ?>" />
    <input type="submit" onclick="this.disabled=true;">
  </form>
   
  
  <?php 
    // do whatever we need to do to the data
    $is_new_post = true;
    // check using user defined function to check database for existing key   
    if(isset($_POST["myform_key"]) && check_for_key($_POST["myform_key"]) ){
      $is_new_post = false;
    } 
     if($is_new_post){
      // user defined function to add the key to a database table
      add_key($_POST["myform_key"]);
      // do what ya gotta do
      add_data_to_database($_POST);
    }   
  ?>
  <b>Form submitted</b>