--- Dre <[EMAIL PROTECTED]> wrote:
> I'm trying to perform a database insertion for a new record from
> data I receive from a HTML form
>
> I send the data to the file containing the insertion script and
> insert the values using the $_POST['variable_name']
Yikes, that sounds dangerous! Are you really using $_POST variables in
your SQL statement?
You want to filter your data first (which is what I actually thought your
subject meant by cleaning variables), and then you want to escape it using
something like mysql_escape_string(). What you have now is an SQL
injection vulnerability.
> the problem is when I refresh this page (the one containing the
> database insertion script) a new record with the same data is
> inserted in the same table (I'm using an auto increamented id
> for this table) ..
>
> I was wondering if there is a way that I can delete all values
> sent from the form after the first insertion successeded
I think the easiest way to solve this is to submit your form to a
processing page that does not display any output. In this processing page,
send a Location header that redirects the user to the final page:
header('Location: http://example.org/end.php');
This intermediate page will be transparent to the browser's history
mechanism, so even the Back button won't return the user to the processing
page. Of course, you can also refresh the last page without submitting the
form.
Hope that helps.
Chris
=====
Chris Shiflett - http://shiflett.org/
PHP Security - O'Reilly
Coming Fall 2004
HTTP Developer's Handbook - Sams
http://httphandbook.org/
PHP Community Site
http://phpcommunity.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
