The simplest is to redirect to another page, however, the user can still return the page and reprocess it.
To provide a greater guarantee, raise a flag using session variable:
if ($libera == "sim" && !isset($_SESSION['submitted'])){
$sql = mysql_query ("INSERT INTO a_finan(id_reserva,id_cliente)VALUES('$id_res','$id_cliente')", $conexao) or die( mysql_error());
$_SESSION['submitted'] = true;
}else{
echo "";
}
On the form page, enter:
<?php
if (isset($_SESSION['submitted'])) {
unset($_SESSION['submitted']);
}
This is to reset the flag and be able to legitimately post from the form in case the user wants to register something else, not duplicated.
Logging in
Obviously, you should know that to use session variables you need to initialize them with session_start () .
I skipped the boot in the examples above because it might be that your system is already in use and this could cause some error. If your scripts are not already in use, just invoke the function:
In the form:
<?php
session_start();
if (isset($_SESSION['submitted'])) {
unset($_SESSION['submitted']);
}
In the script that receives the data and writes:
session_start();
if ($libera == "sim" && !isset($_SESSION['submitted'])){
$sql = mysql_query ("INSERT INTO a_finan(id_reserva,id_cliente)VALUES('$id_res','$id_cliente')", $conexao) or die( mysql_error());
$_SESSION['submitted'] = true;
}else{
echo "";
}
Let's complicate matters?
The user can still backward and forward through the browsing history. Then in that case, the user sucks. But it can be something legitimate. It is possible to implement more reinforcement in these cases using the session variable, for example, checking if the data sent is exactly the same as previously sent.
Usage advantage
This is not the case here, but for cases where there is no control of the primary key to be inserted, it would not be feasible to use the search technique in the database before inserting, since without a unique key, search query more complex and often inaccurate.
Situation example: a table with a primary key of type autoincrement.
The session technique also helps prevent bot and spammer actions because a session should be started on the original page of the form. It does not mean that it is 100% secure against bots or spammers, but it helps to make it difficult to do such actions.
Additional Notes
A session variable expires, but still better than having nothing. In addition, a session can be set to expire in a time greater than 1 hour. One day for example. For even greater reinforcement, you can use $_COOKIE
, instead of session. So let's hear that the user can delete the cookie. Okay, but then it stops being an ordinary user and it becomes clear the bad intentions. For a user of this type, you can put whatever blockage you will find a means to circumvent. In these cases it is good to guard against suspicious activity and to take the appropriate measures. At this point we enter into a parallel discussion, which should not be added here as it would deviate much from the main focus, branching out into various subjects.