#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2003
    Location
    Bristol, England
    Posts
    114
    Rep Power
    17

    Javascript submits form twice


    Hi,

    I've written some javascript to stop right-clicking on the page that is displayed by my software as it is re-directing to a browser to a payment processor. However it seems to be having a weird side-effect. It took me days to narrow it down to this script, but it seems to be causing my order page form to be submitted twice when the Submit button is clicked.

    I have been scratching my head over this for a very long while, but I still can't see how this code could possibly cause a form submission, but through a lot of trial and error testing, I've found that when this code is present, the form is submitted a second time, but when it's absent, the form is submitted only once.

    The process that happens is that my order page is submitted to a PHP script, which adds the order to my database and sends the dopay.php page back to the browser. This page then forwards the browser to the payment processor's page. Sometimes, it may take a few seconds to get the processor's page, so I added the js script to stop opportunists from looking at the sensitive information in the form that is submitted on the page. Obviously, the determined can always use the others ways, but as the page is only displayed for a few seconds, if that, it's very rarely there long enough to be able to use the other methods.

    However, when this script is present, I get two orders being added to my database and my test display messages show that it's because my order page php script has been triggered twice.

    These are the pages involved:

    The dopay.php page:
    Code:
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
    <html>
    <head>
    <SCRIPT><!--
    //***************************************************************************
    //*  This work is the copyright and intellectual property of Deborah Figg.  *
    //*  Reproduction by any means is strictly prohibited unless prior written  *
    //*  permission is obtained from the copyright holder.                      *
    //***************************************************************************
    function funGetEvent(evt) {
    	// Return the appropriate event object
    
    	if  (evt == null) {
    		return event;
    	} else {
    		return evt;
    	}
    }
    function funKeyPress(evt) {
    	var objEvt  = funGetEvent(evt);
    
    	if (objEvt.which) {
    		var keyChar = String.fromCharCode(objEvt.which);
    	} else {
    		var keyChar = String.fromCharCode(objEvt.keyCode);
    	}
    
    	if (keyChar == 'U' || keyChar == 'u' || keyChar == 'R' || keyChar == 'r') {
    		alert('Page not available');
    		return false;
    	}
    }
    function funMouseDown(evt) {
    	if (navigator.userAgent.indexOf('Firefox') == -1) {
    		var objEvt = funGetEvent(evt);
    
    		if (objEvt.which) {
    			var button = objEvt.which;
    		} else {
    			var button = objEvt.button;
    		}
    
    		if (button > 1) {
    			alert('Page not available');
    			return false;
    		}
    	}
    }
    function funMouseClick(evt) {
    	var objEvt = funGetEvent(evt);
    
    	if (objEvt.which) {
    		var button = objEvt.which;
    	} else {
    		var button = objEvt.button;
    	}
    
    	if (button > 1) {
    		alert('Page not available');
    		return false;
    	}
    }
    if (document.captureEvents) {
    	if (Event.KEYPRESS) {
    		document.captureEvents(Event.KEYPRESS|Event.MOUSEDOWN|Event.CLICK);
    	} else {
    		document.captureEvents(1024|1|64);
    	}
    }
    document.onkeypress  = funKeyPress;
    document.onmousedown = funMouseDown;
    document.onclick     = funMouseClick;
    
    --></SCRIPT>
    </head>
    <body onLoad="javascript:document.frmPay.submit()">
    <form action="https://www.alertpay.com/payprocess.aspx" method="post" name="frmPay" id="frmPay">
    <input name="ap_merchant" type="hidden" value="myid" />
    <input name="ap_returnurl" type="hidden" value="myreturnpage" />
    <input name="ap_cancelurl" type="hidden" value="mycancelpage" />
    <input name="ap_description" type="hidden" value="My description." />
    <input name="apc_1" type="hidden" value="myorderid" />
    <input name="ap_currency" type="hidden" value="mycurrency" />
    <input name="ap_purchasetype" type="hidden" value="item" />
    <input name="ap_quantity" type="hidden" value="1" />
    <input name="ap_itemname" type="hidden" value="My Product" />
    <input name="ap_amount" type="hidden" value="37.00" />
    <input name="ap_totalamount" type="hidden" value="37.00" />
    </form>
    </body>
    </html>
    As you can see, the form on this page goes to Alertpay, so how on earth can my own order page be submitted twice?

    The order page form:
    Code:
    <form action="order.php" method="post" name="frmOrder" id="frmOrder">
    	<table width="80%" align="center" cellspacing="0" cellpadding="0">
    	<tr><td>
    		<fieldset class="ordfrm-fieldset"><legend class="ordfrm-legend">Enter Your Details</legend>
    		<table width="97%" align="center" cellspacing="3" cellpadding="3" class="ordfrm-text-norm">
    		<tr class="ordfrm-tbl-row ordfrm-tbl-row-even">
    			<td width="40%" class="ordfrm-tbl-row-hdg"><span class="ordfrm-frm-rqd">* </span>First Name:</td>
    			<td width="60%">
    				<input name="FirstName" id="FirstName" type="text" size="30" maxlength="50" title="Max length: 50" value="" tabindex="1" class="ordfrm-input" />
    			</td>
    		</tr>
    		<tr class="ordfrm-tbl-row ordfrm-tbl-row-odd">
    
    			<td class="ordfrm-tbl-row-hdg"><span class="ordfrm-frm-rqd">* </span>Last Name:</td>
    			<td>
    				<input name="LastName" id="LastName" type="text" size="30" maxlength="50" title="Max length: 50" value="" tabindex="1" class="ordfrm-input" />
    			</td>
    		</tr>
    		<tr class="ordfrm-tbl-row  ordfrm-tbl-row-even">
    			<td class="ordfrm-tbl-row-hdg"><span class="ordfrm-frm-rqd">* </span>Email Address:</td>
    
    			<td>
    				<input name="EmailAddress" id="EmailAddress" type="text" size="30" maxlength="100" title="Max length: 100" value="" tabindex="1" class="ordfrm-input" />
    			</td>
    		</tr>
    		</table>
    		<table width="97%" align="center" cellspacing="3" cellpadding="3" class="ordfrm-text-norm">
    		<tr><td><img src="images/spacer.gif" width="1" height="1" /></td></tr>
    		<tr class="ordfrm-tbl-row ordfrm-tbl-row-odd">
    			<td align="center">
    
    <input name="Submit" id="Submit" type="image" src="images/alertpay-sm-1.gif" title="Click here to order securely using **AlertPay**. It may take several moments, so please be patient." tabindex="1" valign="absmiddle" class="image-button" onclick="return funDisable(this, '', true, document.frmOrder)" />
    			</td>
    		</tr>
    		<tr><td align="center" class="ordfrm-text-small ordfrm-tbl-row-odd">
    			<img src="images/spacer.gif" width="1" height="5" /><br />
    			(It may take several moments to take you to our secure payment page, so please be patient. We always protect your privacy and never share your email address with anybody. Also, to ensure you receive our emails, we don't allow free email addresses e.g. yahoo, hotmail, msn.)
    		</td></tr></table>
    		</fieldset>
    	</td></tr></table>
    </form>
    funDisable disables the image button and submits the form. I've thoroughly tested this script with Firebug and it only ever does one submit.

    The order page php script is far too big and complex to include here, but all it does with the dopay.php page is to echo it back to the browser. But anyway, I've eliminated it from the equation, as my testing has all pointed to the presence of the js script on the dopay.php page.

    It's an obscure one, but does anyone have any suggestions as to how the js script could be causing the order page form to be submitted a second time? Or does anyone know of a better script to disable code viewing that I could possibly use?

    Debbie
    QuicknEasySalesPro.com
    - your quick and easy, yet powerful solution for managing your
    membership site sales, downloads and affiliates.
  2. #2
  3. Application is what Divides Us
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Dec 2002
    Location
    Titusville, FL
    Posts
    2,177
    Rep Power
    62
    I've been bed-ridden since Sunday, but is there a chance that the submit is being sent twice by how you're registering both onclick and onmousedown?

    also captureEvents is deprecated in Fx (thanks e-console!!)


    edit

    also you can't type in the letters R or U into the textfields...
    I would have to enter my name is ichard

    & why two functions that do the same exact thing??
    Last edited by jsKid; February 12th, 2008 at 07:32 PM.
    Download [ Fx | Op ] Validate [ Markup | Css ]
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2003
    Location
    Bristol, England
    Posts
    114
    Rep Power
    17
    Hi jsKid,

    That's the only way I could find to register the events. How would you suggest doing it?
    also captureEvents is deprecated in Fx (thanks e-console!!)
    That's why I put both the if (document.captureEvents) and the document. statements in, so the code would work in both ie and all other browsers.
    also you can't type in the letters R or U into the textfields...
    I would have to enter my name is ichard
    Not sure what you mean by that?
    why two functions that do the same exact thing??
    If you mean funMouseDown and funMouseClick, they are not exactly the same and, again, I had to put both functions in to allow for both ie and the other browsers.

    Debbie
    QuicknEasySalesPro.com
    - your quick and easy, yet powerful solution for managing your
    membership site sales, downloads and affiliates.
  6. #4
  7. Application is what Divides Us
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Dec 2002
    Location
    Titusville, FL
    Posts
    2,177
    Rep Power
    62
    Why not try addEventListener()


    To be completely honest with you, it'd seem more practical to
    "disable" the button

    ...style.visibility='hide';
    ...style.display='none';
    ...disabled= 1;

    <input type='submit' id='submitbutton'>
    Download [ Fx | Op ] Validate [ Markup | Css ]
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2003
    Location
    Bristol, England
    Posts
    114
    Rep Power
    17
    Hi,

    I've now found the solution, which is in this bug report: https://bugzilla.mozilla.org/show_bug.cgi?id=236858, so I thought I'd share what I did with everyone.

    According to the bug report, the absence of a "content-type text/html; charset=iso-8859-1" header or <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> meta tag in the page causes the browser to use it's default charset, which it may decide is wrong once it gets to process the actual data on the page. This is what causes the browser to re-request the page to be able to process it using the correct charset, hence submitting the form twice. Not the most desirable result, I grant you, but that how it's been designed to work, currently.

    So, I tried the suggested fix and found that putting both or just the meta tag did solve the problem, but not consistently enough, because it still happened every so often.

    So, I put in a bit of code to not use the javascript when the browser is Firefox, as that is the only browser in which the problem occurs.
    Code:
    <?php
    if  (USER_BROWSER_AGENT <> "FIREFOX"):
    ?>
    <script language="JavaScript1.2" type="text/javascript"><!--
    <?php
    require(JS_STOP_THIEF);
    ?>
    --></script>
    <?php
    endif;
    ?>
    USER_BROWSER_AGENT is determined by this code, which I thought might be useful for anyone who doesn't already have something similar:
    Code:
    if  (!empty($_SERVER["HTTP_USER_AGENT"])):
    	define("USER_AGENT", $_SERVER["HTTP_USER_AGENT"]);
    elseif (!empty($HTTP_SERVER_VARS["HTTP_USER_AGENT"])):
    	define("USER_AGENT", $HTTP_SERVER_VARS["HTTP_USER_AGENT"]);
    else:
    	define("USER_AGENT", "");
    endif;
    
    if  (strstr(USER_AGENT, "Win")):
    	define("USER_OS", "Win");
    elseif (strstr(USER_AGENT, "Mac")):
    	define("USER_OS", "Mac");
    elseif (strstr(USER_AGENT, "Linux")):
    	define("USER_OS", "Linux");
    elseif (strstr(USER_AGENT, "Unix")):
    	define("USER_OS", "Unix");
    elseif (strstr(USER_AGENT, "OS/2")):
    	define("USER_OS", "OS/2");
    else:
    	define("USER_OS", "Other");
    endif;
    
    if  (ereg("Opera(/| )([0-9].[0-9]{1,2})",  USER_AGENT, $aMatches)):
    	define("USER_BROWSER_VER", $aMatches[2]);
    	define("USER_BROWSER_AGENT", "OPERA");
    elseif (ereg("MSIE ([0-9].[0-9]{1,2})",    USER_AGENT, $aMatches)):
    	define("USER_BROWSER_VER", $aMatches[1]);
    	define("USER_BROWSER_AGENT", "IE");
    elseif (ereg("OmniWeb/([0-9].[0-9]{1,2})", USER_AGENT, $aMatches)):
    	define("USER_BROWSER_VER", $aMatches[1]);
    	define("USER_BROWSER_AGENT", "OMNIWEB");
    elseif (ereg("(Konqueror/)(.*)(;)",        USER_AGENT, $aMatches)):
    	define("USER_BROWSER_VER", $aMatches[2]);
    	define("USER_BROWSER_AGENT", "KONQUEROR");
    elseif (ereg("Mozilla/([0-9].[0-9]{1,2})", USER_AGENT, $aMatches)
    	&&  ereg("Firefox/([0-9]*)",           USER_AGENT, $aMatches2)
    	   ):
    	define("USER_BROWSER_VER", $aMatches[1] . "." . $aMatches2[1]);
    	define("USER_BROWSER_AGENT", "FIREFOX");
    elseif (ereg("Mozilla/([0-9].[0-9]{1,2})", USER_AGENT, $aMatches)
    	&&  ereg("Safari/([0-9]*)",            USER_AGENT, $aMatches2)
    	   ):
    	define("USER_BROWSER_VER", $aMatches[1] . "." . $aMatches2[1]);
    	define("USER_BROWSER_AGENT", "SAFARI");
    elseif (ereg("Mozilla/([0-9].[0-9]{1,2})", USER_AGENT, $aMatches)):
    	define("USER_BROWSER_VER", $aMatches[1]);
    	define("USER_BROWSER_AGENT", "MOZILLA");
    else:
    	define("USER_BROWSER_VER", 0);
    	define("USER_BROWSER_AGENT", "OTHER");
    endif;
    Hope that helps.

    Debbie

    Comments on this post

    • Joseph Taylor agrees
    QuicknEasySalesPro.com
    - your quick and easy, yet powerful solution for managing your
    membership site sales, downloads and affiliates.

IMN logo majestic logo threadwatch logo seochat tools logo