Below are scenarios that may cause duplicates
- browser refresh upon successful form submission
- browser refresh while the page still processing/loading
- resubmit the form again (by clicking on the button more than once)
- Post-redirect-get (PRG) – on wikipedia
- One easy way is to have injected a hidden parameter with a random hash/number (e.g called token). Upon submission you’ll have to check that the token you expect (which you’ll have probably stored in the http session) is being sent together with the other POST parameters. On valid submission you’ll remove/invalidate this token. That way when a POST comes which a non recognised token then it’s most probably a duplicate or out of date request. source
- To check whether the data submitted exist in the database. This is the most tedious part to do and you need to have a unique data for this. i.e. the data must be unique in the table or create a unique data for this purpose sent together with other data.
- Add a one-time token to your forms and save it to the $_SESSION-variable. Then if it is used (form is submitted), remove it from the session (or create a new token). If the form is then sent again, the two tokens don’t match and you have a duplicate entry (you can ignore the second for example). source