disable repeated call using getmethod() in php when page is refreshed

Question

Hi, I'm new to PHP and in order to learn the language and the concepts I'm working on a e-commerce website with a shopping cart, etc. In this site I have items, when an item is clicked, the id of the item is sent via the GET method to the shopping cart page. Using this id, I add the item to the shopping cart(table in db) and it works fine.

<a href="do_shoppingcart.php?id=<?php echo "$itm_id"; ?>">

The issue is; if the user clicks the refresh button, the item is added again to the shopping cart. Do you think that disabling the refresh button or F5 button is a good option? what must i do to prevent the user from adding the item to the shopping cart when the page is refreshed? In forms I've noticed that "(isset($_POST['Submit'])){}" is helpful, but for the GET method this doesn't work accordingly.

Your help is appreciated.

Answer 1

you should do destructive actions with POST, reserve GET for idempotent operations.

Answer 2

The safest way (also helpful to prevent CSRF attacks) is to add a token as hidden field to your form. Then, in the processing script, only add the item to the database if that token does not exist yet...

The token could be created by something like this:

$token = sha1(uniqid());

Appended to your link:

echo '<a href="process.php?id='.$id.'&token='.$token;

Then, when processing, you query your database for a line with that token.

SELECT 1 FROM table WHERE token='abc....'

If this query returns a result, don't process anything else...