thanks a lot I will try to do this "Chris Shiflett" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > --- Dre <[EMAIL PROTECTED]> wrote: > > I'm trying to perform a database insertion for a new record from > > data I receive from a HTML form > > > > I send the data to the file containing the insertion script and > > insert the values using the $_POST['variable_name'] > > Yikes, that sounds dangerous! Are you really using $_POST variables in > your SQL statement? > > You want to filter your data first (which is what I actually thought your > subject meant by cleaning variables), and then you want to escape it using > something like mysql_escape_string(). What you have now is an SQL > injection vulnerability. > > > the problem is when I refresh this page (the one containing the > > database insertion script) a new record with the same data is > > inserted in the same table (I'm using an auto increamented id > > for this table) .. > > > > I was wondering if there is a way that I can delete all values > > sent from the form after the first insertion successeded > > I think the easiest way to solve this is to submit your form to a > processing page that does not display any output. In this processing page, > send a Location header that redirects the user to the final page: > > header('Location: http://example.org/end.php'); > > This intermediate page will be transparent to the browser's history > mechanism, so even the Back button won't return the user to the processing > page. Of course, you can also refresh the last page without submitting the > form. > > Hope that helps. > > Chris > > ===== > Chris Shiflett - http://shiflett.org/ > > PHP Security - O'Reilly > Coming Fall 2004 > HTTP Developer's Handbook - Sams > http://httphandbook.org/ > PHP Community Site > http://phpcommunity.org/
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
