Debbie-Leigh
February 12th, 2008, 05:44 PM
Hi,
I've written some javascript to stop right-clicking on the page that is displayed by my software as it is re-directing to a browser to a payment processor. However it seems to be having a weird side-effect. It took me days to narrow it down to this script, but it seems to be causing my order page form to be submitted twice when the Submit button is clicked.
I have been scratching my head over this for a very long while, but I still can't see how this code could possibly cause a form submission, but through a lot of trial and error testing, I've found that when this code is present, the form is submitted a second time, but when it's absent, the form is submitted only once.
The process that happens is that my order page is submitted to a PHP script, which adds the order to my database and sends the dopay.php page back to the browser. This page then forwards the browser to the payment processor's page. Sometimes, it may take a few seconds to get the processor's page, so I added the js script to stop opportunists from looking at the sensitive information in the form that is submitted on the page. Obviously, the determined can always use the others ways, but as the page is only displayed for a few seconds, if that, it's very rarely there long enough to be able to use the other methods.
However, when this script is present, I get two orders being added to my database and my test display messages show that it's because my order page php script has been triggered twice.
These are the pages involved:
The dopay.php page:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<SCRIPT><!--
//***************************************************************************
//* This work is the copyright and intellectual property of Deborah Figg. *
//* Reproduction by any means is strictly prohibited unless prior written *
//* permission is obtained from the copyright holder. *
//***************************************************************************
function funGetEvent(evt) {
// Return the appropriate event object
if (evt == null) {
return event;
} else {
return evt;
}
}
function funKeyPress(evt) {
var objEvt = funGetEvent(evt);
if (objEvt.which) {
var keyChar = String.fromCharCode(objEvt.which);
} else {
var keyChar = String.fromCharCode(objEvt.keyCode);
}
if (keyChar == 'U' || keyChar == 'u' || keyChar == 'R' || keyChar == 'r') {
alert('Page not available');
return false;
}
}
function funMouseDown(evt) {
if (navigator.userAgent.indexOf('Firefox') == -1) {
var objEvt = funGetEvent(evt);
if (objEvt.which) {
var button = objEvt.which;
} else {
var button = objEvt.button;
}
if (button > 1) {
alert('Page not available');
return false;
}
}
}
function funMouseClick(evt) {
var objEvt = funGetEvent(evt);
if (objEvt.which) {
var button = objEvt.which;
} else {
var button = objEvt.button;
}
if (button > 1) {
alert('Page not available');
return false;
}
}
if (document.captureEvents) {
if (Event.KEYPRESS) {
document.captureEvents(Event.KEYPRESS|Event.MOUSEDOWN|Event.CLICK);
} else {
document.captureEvents(1024|1|64);
}
}
document.onkeypress = funKeyPress;
document.onmousedown = funMouseDown;
document.onclick = funMouseClick;
--></SCRIPT>
</head>
<body onLoad="javascript:document.frmPay.submit()">
<form action="https://www.alertpay.com/payprocess.aspx" method="post" name="frmPay" id="frmPay">
<input name="ap_merchant" type="hidden" value="myid" />
<input name="ap_returnurl" type="hidden" value="myreturnpage" />
<input name="ap_cancelurl" type="hidden" value="mycancelpage" />
<input name="ap_description" type="hidden" value="My description." />
<input name="apc_1" type="hidden" value="myorderid" />
<input name="ap_currency" type="hidden" value="mycurrency" />
<input name="ap_purchasetype" type="hidden" value="item" />
<input name="ap_quantity" type="hidden" value="1" />
<input name="ap_itemname" type="hidden" value="My Product" />
<input name="ap_amount" type="hidden" value="37.00" />
<input name="ap_totalamount" type="hidden" value="37.00" />
</form>
</body>
</html>
As you can see, the form on this page goes to Alertpay, so how on earth can my own order page be submitted twice?
The order page form:
<form action="order.php" method="post" name="frmOrder" id="frmOrder">
<table width="80%" align="center" cellspacing="0" cellpadding="0">
<tr><td>
<fieldset class="ordfrm-fieldset"><legend class="ordfrm-legend">Enter Your Details</legend>
<table width="97%" align="center" cellspacing="3" cellpadding="3" class="ordfrm-text-norm">
<tr class="ordfrm-tbl-row ordfrm-tbl-row-even">
<td width="40%" class="ordfrm-tbl-row-hdg"><span class="ordfrm-frm-rqd">* </span>First Name:</td>
<td width="60%">
<input name="FirstName" id="FirstName" type="text" size="30" maxlength="50" title="Max length: 50" value="" tabindex="1" class="ordfrm-input" />
</td>
</tr>
<tr class="ordfrm-tbl-row ordfrm-tbl-row-odd">
<td class="ordfrm-tbl-row-hdg"><span class="ordfrm-frm-rqd">* </span>Last Name:</td>
<td>
<input name="LastName" id="LastName" type="text" size="30" maxlength="50" title="Max length: 50" value="" tabindex="1" class="ordfrm-input" />
</td>
</tr>
<tr class="ordfrm-tbl-row ordfrm-tbl-row-even">
<td class="ordfrm-tbl-row-hdg"><span class="ordfrm-frm-rqd">* </span>Email Address:</td>
<td>
<input name="EmailAddress" id="EmailAddress" type="text" size="30" maxlength="100" title="Max length: 100" value="" tabindex="1" class="ordfrm-input" />
</td>
</tr>
</table>
<table width="97%" align="center" cellspacing="3" cellpadding="3" class="ordfrm-text-norm">
<tr><td><img src="images/spacer.gif" width="1" height="1" /></td></tr>
<tr class="ordfrm-tbl-row ordfrm-tbl-row-odd">
<td align="center">
<input name="Submit" id="Submit" type="image" src="images/alertpay-sm-1.gif" title="Click here to order securely using **AlertPay**. It may take several moments, so please be patient." tabindex="1" valign="absmiddle" class="image-button" onclick="return funDisable(this, '', true, document.frmOrder)" />
</td>
</tr>
<tr><td align="center" class="ordfrm-text-small ordfrm-tbl-row-odd">
<img src="images/spacer.gif" width="1" height="5" /><br />
(It may take several moments to take you to our secure payment page, so please be patient. We always protect your privacy and never share your email address with anybody. Also, to ensure you receive our emails, we don't allow free email addresses e.g. yahoo, hotmail, msn.)
</td></tr></table>
</fieldset>
</td></tr></table>
</form>
funDisable disables the image button and submits the form. I've thoroughly tested this script with Firebug and it only ever does one submit.
The order page php script is far too big and complex to include here, but all it does with the dopay.php page is to echo it back to the browser. But anyway, I've eliminated it from the equation, as my testing has all pointed to the presence of the js script on the dopay.php page.
It's an obscure one, but does anyone have any suggestions as to how the js script could be causing the order page form to be submitted a second time? Or does anyone know of a better script to disable code viewing that I could possibly use?
Debbie
I've written some javascript to stop right-clicking on the page that is displayed by my software as it is re-directing to a browser to a payment processor. However it seems to be having a weird side-effect. It took me days to narrow it down to this script, but it seems to be causing my order page form to be submitted twice when the Submit button is clicked.
I have been scratching my head over this for a very long while, but I still can't see how this code could possibly cause a form submission, but through a lot of trial and error testing, I've found that when this code is present, the form is submitted a second time, but when it's absent, the form is submitted only once.
The process that happens is that my order page is submitted to a PHP script, which adds the order to my database and sends the dopay.php page back to the browser. This page then forwards the browser to the payment processor's page. Sometimes, it may take a few seconds to get the processor's page, so I added the js script to stop opportunists from looking at the sensitive information in the form that is submitted on the page. Obviously, the determined can always use the others ways, but as the page is only displayed for a few seconds, if that, it's very rarely there long enough to be able to use the other methods.
However, when this script is present, I get two orders being added to my database and my test display messages show that it's because my order page php script has been triggered twice.
These are the pages involved:
The dopay.php page:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<SCRIPT><!--
//***************************************************************************
//* This work is the copyright and intellectual property of Deborah Figg. *
//* Reproduction by any means is strictly prohibited unless prior written *
//* permission is obtained from the copyright holder. *
//***************************************************************************
function funGetEvent(evt) {
// Return the appropriate event object
if (evt == null) {
return event;
} else {
return evt;
}
}
function funKeyPress(evt) {
var objEvt = funGetEvent(evt);
if (objEvt.which) {
var keyChar = String.fromCharCode(objEvt.which);
} else {
var keyChar = String.fromCharCode(objEvt.keyCode);
}
if (keyChar == 'U' || keyChar == 'u' || keyChar == 'R' || keyChar == 'r') {
alert('Page not available');
return false;
}
}
function funMouseDown(evt) {
if (navigator.userAgent.indexOf('Firefox') == -1) {
var objEvt = funGetEvent(evt);
if (objEvt.which) {
var button = objEvt.which;
} else {
var button = objEvt.button;
}
if (button > 1) {
alert('Page not available');
return false;
}
}
}
function funMouseClick(evt) {
var objEvt = funGetEvent(evt);
if (objEvt.which) {
var button = objEvt.which;
} else {
var button = objEvt.button;
}
if (button > 1) {
alert('Page not available');
return false;
}
}
if (document.captureEvents) {
if (Event.KEYPRESS) {
document.captureEvents(Event.KEYPRESS|Event.MOUSEDOWN|Event.CLICK);
} else {
document.captureEvents(1024|1|64);
}
}
document.onkeypress = funKeyPress;
document.onmousedown = funMouseDown;
document.onclick = funMouseClick;
--></SCRIPT>
</head>
<body onLoad="javascript:document.frmPay.submit()">
<form action="https://www.alertpay.com/payprocess.aspx" method="post" name="frmPay" id="frmPay">
<input name="ap_merchant" type="hidden" value="myid" />
<input name="ap_returnurl" type="hidden" value="myreturnpage" />
<input name="ap_cancelurl" type="hidden" value="mycancelpage" />
<input name="ap_description" type="hidden" value="My description." />
<input name="apc_1" type="hidden" value="myorderid" />
<input name="ap_currency" type="hidden" value="mycurrency" />
<input name="ap_purchasetype" type="hidden" value="item" />
<input name="ap_quantity" type="hidden" value="1" />
<input name="ap_itemname" type="hidden" value="My Product" />
<input name="ap_amount" type="hidden" value="37.00" />
<input name="ap_totalamount" type="hidden" value="37.00" />
</form>
</body>
</html>
As you can see, the form on this page goes to Alertpay, so how on earth can my own order page be submitted twice?
The order page form:
<form action="order.php" method="post" name="frmOrder" id="frmOrder">
<table width="80%" align="center" cellspacing="0" cellpadding="0">
<tr><td>
<fieldset class="ordfrm-fieldset"><legend class="ordfrm-legend">Enter Your Details</legend>
<table width="97%" align="center" cellspacing="3" cellpadding="3" class="ordfrm-text-norm">
<tr class="ordfrm-tbl-row ordfrm-tbl-row-even">
<td width="40%" class="ordfrm-tbl-row-hdg"><span class="ordfrm-frm-rqd">* </span>First Name:</td>
<td width="60%">
<input name="FirstName" id="FirstName" type="text" size="30" maxlength="50" title="Max length: 50" value="" tabindex="1" class="ordfrm-input" />
</td>
</tr>
<tr class="ordfrm-tbl-row ordfrm-tbl-row-odd">
<td class="ordfrm-tbl-row-hdg"><span class="ordfrm-frm-rqd">* </span>Last Name:</td>
<td>
<input name="LastName" id="LastName" type="text" size="30" maxlength="50" title="Max length: 50" value="" tabindex="1" class="ordfrm-input" />
</td>
</tr>
<tr class="ordfrm-tbl-row ordfrm-tbl-row-even">
<td class="ordfrm-tbl-row-hdg"><span class="ordfrm-frm-rqd">* </span>Email Address:</td>
<td>
<input name="EmailAddress" id="EmailAddress" type="text" size="30" maxlength="100" title="Max length: 100" value="" tabindex="1" class="ordfrm-input" />
</td>
</tr>
</table>
<table width="97%" align="center" cellspacing="3" cellpadding="3" class="ordfrm-text-norm">
<tr><td><img src="images/spacer.gif" width="1" height="1" /></td></tr>
<tr class="ordfrm-tbl-row ordfrm-tbl-row-odd">
<td align="center">
<input name="Submit" id="Submit" type="image" src="images/alertpay-sm-1.gif" title="Click here to order securely using **AlertPay**. It may take several moments, so please be patient." tabindex="1" valign="absmiddle" class="image-button" onclick="return funDisable(this, '', true, document.frmOrder)" />
</td>
</tr>
<tr><td align="center" class="ordfrm-text-small ordfrm-tbl-row-odd">
<img src="images/spacer.gif" width="1" height="5" /><br />
(It may take several moments to take you to our secure payment page, so please be patient. We always protect your privacy and never share your email address with anybody. Also, to ensure you receive our emails, we don't allow free email addresses e.g. yahoo, hotmail, msn.)
</td></tr></table>
</fieldset>
</td></tr></table>
</form>
funDisable disables the image button and submits the form. I've thoroughly tested this script with Firebug and it only ever does one submit.
The order page php script is far too big and complex to include here, but all it does with the dopay.php page is to echo it back to the browser. But anyway, I've eliminated it from the equation, as my testing has all pointed to the presence of the js script on the dopay.php page.
It's an obscure one, but does anyone have any suggestions as to how the js script could be causing the order page form to be submitted a second time? Or does anyone know of a better script to disable code viewing that I could possibly use?
Debbie