What am i doing wrong (updating issue)

the php code is suppose to update buts not responding well
when i refresh a page its update when i click on the submit button its update plz take a look at it for me

if (isset($_POST['action']) && $_POST['action'] == 'update')
        {
        

    $query = "SELECT a.song_url, au.auction_id, au.auction_id, au.counter, au.download_counter FROM " . $DBPrefix . "auccounter au
        LEFT JOIN " . $DBPrefix . "auctions a ON (a.id = au.auction_id)

WHERE au.auction_id = :auction_id";
$params = array();
$params[] = array(':auction_id', $id, 'int');
$params[] = array(':download_counter', $id, 'int');
$db->query($query, $params);

    

    
        //update button click
    $query = "UPDATE " . $DBPrefix . "auccounter set download_counter = download_counter + 1 WHERE auction_id = :auction_id";
        $params = array();
        $params[] = array(':auction_id', $id, 'int');
        $db->query($query, $params);
        
        
        //insert button click
        $query = "INSERT INTO `" . $DBPrefix . "auccounter` (`auction_id`, `download_counter`) VALUES (:download_counter, 1)";
    $params = array();
    $params[] = array(':download_counter', $id, 'int');
    $db->query($query, $params);    
            

and the submit form

<form class="form-horizontal" name="action" action="" method="post">
<input type="hidden" name="csrftoken" value="{_CSRFTOKEN}">
                    <input type="hidden" name="id" value="{ID}">
                    
                    <input type="hidden" name="action" value="update">
                    <input type="submit" name="Input" value="{L_5199}" class="btn btn-primary">
                    </form>

thanks

So i guess this script works like intended. You only said what it’s currently doing, but did not say what’s the expected behavior - so what help do you need?

What sense should this make for anybody not in common with your task?

Its not suppose to update when the page is refreshed only when button clicked

But there’s no difference between redirecting to an URL, and refreshing the browser tab (with POST data or not). So you have at least two options: Post/Redirect/Get or the more precise and secure approach CSFR-Token.

Have tried all that it jist doesnt work

Worst thing i just notice if i remove the html file
And refresh the browser it still get updated.

An HTML file (normally) isn’t even an executable, so it does nothing, except for structuring some text, or showing your form, but not actuall processing it. You have to modify the PHP file, or you are looking at the wrong place.

Show all the codes related to your CSRF-token testing.

You did not show how you implemented the Post/Redirect/Get cycle.

Here is a very simple example that just updates a session counter on POST.

<?php
session_start();

$count = isset($_SESSION['count']) ? $_SESSION['count'] : 0;

if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    
    // Update the counter
    $count++;
    $_SESSION['count'] = $count;

    // And redirect
    header("Location: count.php"); // Really should be an absolute url
    exit();
}

?>
<form method="POST" action="count.php" >
    Count: <?php echo $count; ?><br/>
    <input type="submit" value="Increment">
</form>

Try it with and without the header/exit redirect lines and see how it impacts the browser refresh button following a post.

hi thanks for the reply below is the form code

<form class="form-horizontal" name="action" action="{SITEURL}item.php" method="post">
<input type="hidden" name="csrftoken" value="{_CSRFTOKEN}">
                    <input type="hidden" name="id" value="{ID}">
                    
                    <input type="hidden" name="action" value="update">
                    <input type="submit" name="Input" value="{L_5199}" class="btn btn-primary">
                    </form>

this is the php code

if (isset($_POST['action']) && $_POST['action'] == 'update')
        {
        

    $query = "SELECT a.song_url, au.auction_id, au.auction_id, au.counter, au.download_counter FROM " . $DBPrefix . "auccounter au
        LEFT JOIN " . $DBPrefix . "auctions a ON (a.id = au.auction_id)

WHERE au.auction_id = :auction_id";
$params = array();
$params[] = array(':auction_id', $id, 'int');
$params[] = array(':download_counter', $id, 'int');
$db->query($query, $params);

    

    
        //update button click
    $query = "UPDATE " . $DBPrefix . "auccounter set download_counter = download_counter + 1 WHERE auction_id = :auction_id";
        $params = array();
        $params[] = array(':auction_id', $id, 'int');
        $db->query($query, $params);
        
        
        //insert button click
        $query = "INSERT INTO `" . $DBPrefix . "auccounter` (`auction_id`, `download_counter`) VALUES (:download_counter, 1)";
    $params = array();
    $params[] = array(':download_counter', $id, 'int');
    $db->query($query, $params);    
            

    

    }
while ($row = $db->fetch())
{
    $template->assign_block_vars('clicker', array(
            'ID' => $row['auction_id'],
            'SONG_URL' => UPLOAD_FOLDER . $row['auction_id'] . '/' . $row['song_url'],

            'DOWNLOAD' => $row['download_counter']
            ));
    $i++;
}

i also notice something when i enter the page at first and refresh the counter doesnt increase but when i click on the button the counter increase which is good, but wen i start to refresh aferwards the counter increasing.

weird i know right.

I see no evidence in your code of a redirect following a post. So I am not sure of the relevance.

Take a look at the example I gave. The header line is important.

okay try again

ok done, this what i did at d end of it

$query = "UPDATE " . $DBPrefix . "auccounter set download_counter = download_counter + 1 WHERE auction_id = :auction_id";
        $params = array();
        $params[] = array(':auction_id', $id, 'int');
        $params[] = array(':download_counter', $id, 'int');

        $db->query($query, $params);    
                    
    header('location: item.php?id=' . $id);

thanks yo for ur contribution

Glad you got it working. Now add exit(); right after the header line to stop the execution. In many cases it won’t matter if the rest of the scripts runs but you can get into some interesting edge cases. Best to just to explicitly stop.

And take the time to turn item.php into an absolute url. Most browsers are fine with what you have but some follow the standards and produce unwanted results.

ok done thanks

Hi is there any way i can limit d click to 2 or 3 click per ip or session cause i dont want some one just pressing d button continously like that

There is no “click” on the server side. You get requests, and you can handle them as you wish, e.g. store the requesting IP plus a counter in a database and checking against that value on every request.

Trapping it per IP address is a bit dangerous sometimes - multiple users on a shared internet connection (think of several people working in the same business) might report as the same WAN IP address when they connect to your server. So the first guy views the site, tells his friends at work, and they can’t get on because you’ve blocked the IP temporarily.

The thing that really sucks about PHP is that you can’t track someone’s MAC Address. This approach would of been better.

Use JavaScript for this.

Yh tot of it also but it will javascript to disable d form n not d button.

Perhaps the easiest way is just store a flag in your session the first time they click. Afterwards, use the flag to prevent further updates.

It is not very secure and easy to get around. If it is really important then you will probably need to implement a login system.

Please reword this. It is quite hard to understand what you are referring to.