The forums ran from 2008-2020 and are now closed and viewable here as an archive.

Home Forums Back End Contact.php Re: Contact.php


…use a token to make sure you don’t process the same form twice.

(This *will* require you to generate the form itself via PHP, but that’s not a bad thing.)

Say, for example, that your current form looks something like this:

You’ll need to make a PHP page for that HTML form.

// start a session

// a “token” is just an arbitrary, unique identifier
$token = md5( rand().$_SERVER );

// save the token to your user session
$_SESSION = $token;

// add the token to a hidden form field

Then, on your contact.php script, check that the token exists and is valid:

// if there’s a token in the session
! empty( $_SESSION )
// AND a token in the form submission
&& ! empty( $_POST )
// AND the tokens match
&& $_SESSION === $_POST
// THEN, the form submission is legit.

// first, DELETE the token from the session:
unset( $_SESSION );
// that way, if the user hits the [back] button,
// the script will ignore the repeated submission
// because there’s no matching token in the session.

// next, proceed with processing the form submission
// and sending the email as normal.

// if there’s no matching token,
// the form submission is a duplicate
// (or possibly from a really old visit, and the session has expired).
// so, don’t process it or send any emails.

// you might redirect to the contact form again,
// or the homepage, or whatever you like.


> there doesn’t seem to be any actionable item aka: a submit button.

since the entire `

` is missing from the code sample, I’m assuming that it’s on another page and functioning properly. He mentioned that the problem occurred when someone *reloaded* the page (or, presumably, navigated to it via the [back] button or by accident). @markblackler, does the script email you successfully when you submit the form the first time?

> The biggest problem lies in your $mail_status, currently it just checks if it exists / has a value which can include blank values.

`$mail_status` comes from the call to `mail()`, which will always be either `true` or `false`. It should work as expected.