php/mysql database posts from ghosts


Disclaimer: I’m very new to PHP, so please don’t hurt me.

Problem: php script keeps running randomly - no cron jobs are set to run

Detail: I have a webpage that sends information to a php webpage which uses the $_GET method, which then creates and updates records in a mysql database.

When I click a button on the webpage the current page is directed to the php page and the script runs and then redirects back to the original webpage.

The problem is that sometimes once a record has been inserted into the database, several minutes later I will get another post. This is not a double post issue though.

I have added a timestamp to the records and also added lines of code to email me each time the script runs. Just recently I click the button, checked that the record was created, walked away from my computer and 5 minutes later the script ran again and then 1 minute later again and then nothing.

Needless to say this is driving a little nuts.

Does anyone know of a reason why a script would run automatically?

It’s not a cron job and I am certain it’s not a user end double-click issue.

Thank you,


Hmmm, GHOSTLY code, too… (none posted…)

Let’s see, talk to the gypsy down the road and I am sure she can read your imaginary code
and give you the perfect answer! Good luck with her…


So that’s a “no” on the question I asked?


Well, if I have to say something silly again, I am sorry if it hurts you…

Without knowing a ton about your system setup, server setup, programming code, posting code, form codes and many other things, how can we help you.

To debug this you can check a long list of things. First, does it post when you are not in a browser.
Does it post when your system is down. Did you have a professional look at your PHP code. Does it post when you are using a different system. Does it post when you are on a wireless laptop…

All of these questions would help debug it. Such as, if it only happens on your computer, then, it must be something inside your system. If so, create a second User on it for testing and run it from there. If it doesn’t double-post, then there you have it.

Debugging this could take months with hands-on. Another thing, you can capture the IP of the posting code and see if it is posting from your system or the server or a hacker’s site. It could be a cookie-expiration code issue. It could be a server delay. It could be bad code in your code which we can not see.

My guess is that it is in YOUR code as you said you were very new to PHP. So, as I hinted before, you can post some code and we can see if you just forgot something simple…

Not sure if any of this helps, but, good luck…



Thank you for your response. You’ve given me some good things to watch for and think about.

To clarify, this issue doesn’t happen all the time, however I’ve been having trouble identifying what is unique about the situation when it does happen.

So far I have used two differnt laptops (one at home - wireless and the other at work wired) and the problem has occured while using both. I am also testing on an iPhone and I’m not 100% sure if it happend while using the phone exclusivly.

This is the code (java script) that is in the main webpage, which is run when a button is clicked.

function start_activity(msg){ var r=confirm("Do you want to start this activity?\r" + msg); if (r==true) { window.location.href = 'start_new_activity.php' + '?theactivity=' + $new_activity + '&thebillable=' + $thebillable + '&thedate=' + $thedate + '&thenote=' + $thenote; } }

The button code is…
[php]onclick=“start_activity(’’. $buttonactivity .’’);”[/php]

The php file in its entirerty…

$theactivity = $_GET[‘theactivity’];
$theactivity_clean = str_replace(" [ Other Activity ]","",$theactivity);
$thebillable = $_GET[‘thebillable’];
$thedate = $_GET[‘thedate’];
$thenote = $_GET[‘thenote’];

if (empty($theactivity )) {
echo ‘Erro no activity name!’;
} else {

$con = mysql_connect('localhost','fakeuser','fakepassword');

if (!$con){
	die('Could not connect: ' . mysql_error());

mysql_select_db("fake_database", $con);

echo ‘

Checking for current activity.

$result = mysql_query(“SELECT * FROM fake_database.settings WHERE email = ‘’;”);
$row = mysql_fetch_array($result);
$scactivityname = $row['cactivityname'];
$scactivitystart= $row['cactivitystart'];
$scactivityid= $row['cactivityid'];

if ($scactivityid <> 0){

echo ‘

Ending current activity.

$sql0=“UPDATE fake_database.activities SET endtime = ‘$thedate’ WHERE = ‘$scactivityid’”;
if (!mysql_query($sql0,$con)){
die('Error: ’ . mysql_error());

echo ‘

Starting new activity.

$sql1=“INSERT INTO fake_database.activities (id, email, billable, activity, note, starttime, endtime) VALUES (NULL, ‘’, ‘$thebillable’, ‘$theactivity_clean’, ‘$thenote’, ‘$thedate’, ‘0000-00-00 00:00:00’)”;
if (!mysql_query($sql1,$con)){
die('Error: ’ . mysql_error());
$last_id = mysql_insert_id();
if ($last_id) {
	$sql2="UPDATE `fake_database`.`settings` SET `cactivityid` = '$last_id', `cactivityname` = '$theactivity', `cactivitystart` = '$thedate' WHERE `settings`.`email` = ''";
	if (!mysql_query($sql2,$con)){
		die('Error: ' . mysql_error());
} else {
	echo "The last query did not generate an AUTO_INCREMENT value";

echo ‘


$to = "";
$subject = $theactivity_clean;
$message = $thedate;
$from = "";
$headers = “From:” . $from;
echo “Mail Sent.”;
?> [/php]

I think the code is pretty simple, but really what do I know. I’ve been expirencing the problem for about 4 days - while trying to nail down a pattern, but I finally hit a wall.

Any review and help would be appreciated. I’m going to checkout the capture the IP idea to see if I can determine what is running the script.

Thank you again,


I am leaving for a few hours. I will check out your code more when I get back.

Also, if you are using a phone, sometimes, I have heard, that phones will sometimes double post because they can have a data-delay. Seems it happens with certain providers and not with others. I would do some various tests with the phone first and see if it keeps happening. Then, wait an hour and test a few with the wireless laptop. Wait an hour then test with the desktop. That way you can narrow it down to one or all of them. If all, then it is code only and we can look at it. If only the phone, then, the code must be changed to have timing checks in place. Hard to debug this type of problem, but, do these first and I will check in when I get back…


Update: I stuck to testing with my iPhone all day and so far I’ve created 20+ records with no issues.

I did create a field for the ip address however I’m starting to wonder if it’s browser specific. I was testing with Chrome, IE, Safari and of course Safari Mobile. I think I can eliminate Safari Mobile, but I’m going to add a field to record the browser too.



I feel like I’m zoning in on the problem, but I’m not really sure what’s triggering the script yet.

After adding the IP Address and the Browser Fields to my database here’s what I found…

Tested with Chrome and my IP address was logged and the browser was “Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.79 Safari/535.11”

Tested with Safari and my IP address was logged and the browser was “Mozilla/5.0 (Windows NT 5.1) AppleWebKit/534.52.7 (KHTML, like Gecko) Version/5.1.2 Safari/534.52.7”

Almost exactly 6 minutes after the Chrome entry with another IP address logged an entry and the browser was “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”

I the logged into my computer at work via VPN and logged an entry using IE and that IP address was logged as well as the browser “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)”

Then several more ghost entries showed up with different IP addresses and the browser was “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”

Any idea what’s happening here?

Thank you,


I looked up the IP addresses and it appears that their locations are in Japan.

When I looked up related IP addresses Trend Micro was listed as the owner and guess where trend micro is located. Tokyo, Japan.

WHY? WHY? Why is this happening? I don’t understand why? Is it possible that Trend Micro, which is loaded on both of my computers, but not my iPhone, is accessing these PHP files which is causing records to be posted?

Thank you for any suggestions.


I read all your posts and find this very interesting. I looked at Trend Micro and found a couple of items.
First, do you actually have any Trend Micro software on your system such as their firewall or anti-virus software? This could be an issue. Also, is your server hosted on a system guarded by Trend Microsystems?
There are a few things that could be logging your IP’s back to theirs. (Most firewall companies track IP’s, so they can add then as safe/unsafe in their IP lists.) This might be something to check on.

So, where are you hosting the site you are accessing? And, if you have Trend Micro software on your system, try to disable it first and see if that helps… Let me know…


I do have Trend Micro on my computers and not on the server. Unfortunatly I can’t disable TM as both computers are owned by the company I work for and TM is password protected.

At this point I am 99% sure that TM is the problem, however I really don’t understand how simply accessing the PHP page causes a database entry. I am using the GET method for passing data from page to page, but I’m also testing for one of the key variables to be set before the database is even accessed. If any one was to access the page without the appropriate string in the URL it should fail. Right?

It’s as if TM is accessing the entire URL string, that I had previously accessed, from my history.

I have read a few things recently that tell me that GET should only be used in situations when you are getting from a database and that I should use a Session however I don’t understand how I can set session variables from user input in a client side script. I have done a test using php to start a session and set a variable when the page first loads and retrieve the variable on the second page and that works, but I need to set session variables dynamically.

Any suggestions that might send me in the right direction?

Thank you for your help.


Use your server firewall to block trend micro ip addresses, simple



Thank you for your suggestion. Although this could be a possibility if I can’t find a better solution, I fear that Trend Micro may not be the only software doing this.

By the way, based on what I have observed so far, I believe that TM is accessing my history and sending the URLs that I have visited to their server in Japan, which is then hitting each of those which is causing my problem.

Yesterday before I shutdown I logged two more entries as tests and then shutdown immediately and this morning when I started up I received another post from the TM IP address. The odd thing is that the post was a duplicate of one from three posts back and usually these posts happen within minutes of my posts.

I plan to change my code to use the POST method in lieu of GET, but I will need to use java to create a hidden form and then submit using the POST method to the PHP page.

I may do a test today to see if it works as long as I can get the JavaScript working.



Well, I have been a bit busy, but, did some research on Trend Microsystems items… I found that their “protection” software tracks all IP’s if they have email traffic and send’s them off to the “MAPS” sites.
So, this might be a bit of the puzzle. They did state they do nothing but track IP’s. So, it may be some sort of bounce-back thing going on. I never liked Trend Micro because I have had so many problems with their software on a lot of different systems. But, sometimes these are parts of the browsers.

I know this did not help much, but, all info is good while tracking down a puzzling error! Good luck!

Here is a quote from T.M. "

We simply provided a categorical list of IP addresses, which other networks may choose to use to filter traffic on their network. The Mail Abuse Prevention System (MAPS) never touches any email (or other packets) between your network and someone else’s network.

Please understand that we have not singled you out. All of MAPS’ lists are based on IP addresses only and not the following:

·Domain names
·Email addresses
·Message contents
·Any other information

Also, our lists do not distinguish between domain names. Networks use our lists to identify and reject mail from listed IP addresses.

So, this basically says: We send your IP on to others… Not sure if that is good, but, I do think that most all AntiVirus software does this.