11 Replies - 551 Views - Last Post: 12 December 2018 - 12:48 PM Rate Topic: -----

#1 pfar54   User is offline

  • D.I.C Addict

Reputation: 0
  • View blog
  • Posts: 502
  • Joined: 30-April 15

Why is a submission going through without hitting js submit/validation

Posted 05 December 2018 - 11:23 AM

Ever since a change was made to a send file, I am getting around 20 spam submissions a day on a form. Before the change there was never spam.

The subtle modifications to my send file are shown below. The change solely consisted of how I was getting the POST data. The commented code below was my original and non-commented is what it is now.

$to_requester = Communication::mail_api($_POST, null, $template, 1, "{$_SERVER['DOCUMENT_ROOT']}/PDFs/{$pdf_downloaded}.pdf");
    //$to_requester = Communication::mail_api($_POST, null, $template, 1, "../PDFs/" . $file_mapping[$_POST['pdf_downloaded']] . ".pdf");


There are several parts to my form. The process goes in this order:

  • Submission to Salesforce
  • Information sent to my database (via ajax)
  • Notification emails are sent to the user and myself (via ajax)


The spam submissions that are occurring are only submitted to salesforce. They never touch my send file (this includes the db submission and email notifications). The change I noted above is in the send file, so I have no idea why this would have any effect.

I have jQuery validation setup on the form itself.

The salesforce id and other information is held in a config file and called in the form file.

The submissions are entering salesforce like this:

Posted Image

The name/company fields are being filled with some sort of id/code. Again, the send file or database are not being reached with these submissions. The send file is reached with AJAX communicating in-between.

What could be causing these spam submissions? Is there anything I can do validation wise to make sure this spam is not submitted?

I can post a link to the site if needed.

Form

<form action="<?php echo $config['sf_url']; ?>" method="POST" id="pdfForm">
  <input type=hidden name="oid" value="<?php echo $config['oid']; ?>">
  <input type=hidden name="retURL" value="<?php echo $config['retUrl']; ?>">
  <input type="text" class="input block" id="first_name" maxlength="40" name="first_name"placeholder="First Name *">
  <input type="text" class="input block" id="last_name" maxlength="80" name="last_name" placeholder="Last Name *">
  <input type="email" class="input block" id="email" maxlength="80" name="email" placeholder="Email *">
  <input id="pdfButton" class="button" type="submit" value="Download File">
</form>


Config

<?php
function getConfig($key)
{
    $db = [
        'username' => 'user',
        'pass' => 'password',
        'dbname' => 'db',
    ];

    $ar =  [
        'sf' => [
            'oid' => 'real id',
            'sf_url' => 'https://webto.salesforce.com/servlet/servlet.WebToLead?encoding=UTF-8',

            'retUrl' => 'https://example.com',

        ],
        'pdo' => new PDO("mysql:host=localhost;dbname={$db['dbname']}", $db['username'], $db['pass'])
    ];
    if(array_key_exists($key, $ar))
        return $ar[$key];
}


Send file:

ini_set('display_errors', 1);
error_reporting(E_ALL);
require 'classes/Communication.php';
require_once '../config.php';

if ($_SERVER['REQUEST_METHOD'] != 'POST')
    exit();

$file_mapping = [
    //Index
    'Linear Structure' => 'Belt_Driven_Linear_1_3D', //LM Index
    'Dynamic Structure' => 'Belt_Driven_Linear_5_3D', //LM MH Index

    //LM
    'Ball-Screw Application' => 'Belt_Driven_Linear_2_3D',
    'Belt-Driven Structure' => 'Belt_Driven_Linear_6_3D',
    'Linear Motion Enclosure' => 'Belt_Driven_Linear_7_3D'
];


$first_name = trim(htmlspecialchars($_POST['first_name']));
$last_name = trim(htmlspecialchars($_POST['last_name']));
$email = trim(htmlspecialchars($_POST['email']));
$phone = trim(htmlspecialchars($_POST['phone']));
$company = trim(htmlspecialchars($_POST['company']));
$pdf_downloaded = trim(htmlspecialchars($_POST['pdf_downloaded']));
$page_name = $_POST['page_name'];
$hasError = false;

try {
    $config = getConfig('db');
    $sent = false;

    $con = getConfig('pdo');
    $con->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    $consult_insert = "
        INSERT INTO pdf_submissions
        (first_name, last_name, email, phone, company, date, pdf_downloaded, page_source)
        VALUES(?,?,?,?,?,NOW(),?,?)
    ";
    $consult_stmt = $con->prepare($consult_insert);
    $consult_stmt->execute(array($first_name, $last_name, $email, $phone, $company, $pdf_downloaded, $page_name));

    if (!array_key_exists($pdf_downloaded, $file_mapping)) {
        $date = new DateTime();
        $hasError = true;
        file_put_contents('error_log', "\n[{$date->format('Y-m-d H:i:s')}]" . "Error adding attachment: The file selected could not be found in the file mapping. {$pdf_downloaded}.", FILE_APPEND);
    }

} catch (PDOException $e) {
    // echo "Connection failed: " . $e->getMessage();
}

if ($hasError !== true) {

    /************************ Start to Requester ******************************/

    $placeholders = [
        '{first_name}',
        '{last_name}',
        '{phone}',
        '{company}',
        '{email}',
        '{pdf_downloaded}'
    ];

    $values = [
        htmlentities($_POST['first_name']),
        htmlentities($_POST['last_name']),
        htmlentities($_POST['phone']),
        htmlentities($_POST['company']),
        htmlentities($_POST['email']),
        htmlspecialchars($_POST['pdf_downloaded']),
    ];

    $template = str_replace($placeholders, $values, file_get_contents("templates/pdf_to_requester.html"));

// Mail subject line goes here
    $_POST['subject'] = 'Subject';
    $_POST['h:Reply-To'] = '[email protected]';
    $to_requester = Communication::mail_api($_POST, null, $template, 1, "{$_SERVER['DOCUMENT_ROOT']}/PDFs/{$pdf_downloaded}.pdf");
    if (!$to_requester) {
        $msg = [
            'status_code' => 500,
            'status_message' => 'Email Failed to send.'
        ];
        echo json_encode($msg);
    }
    /************************ End to Requester ******************************/
    /************************ Start to Domain ******************************/
    $placeholders = [
        '{first_name}',
        '{last_name}',
        '{email}',
        '{phone}',
        '{company}',
        '{file_requested}',
        '{page_name}'
    ];

    $values = [
        $first_name = trim(htmlspecialchars($_POST['first_name'])),
        $last_name = trim(htmlspecialchars($_POST['last_name'])),
        $email = trim(htmlspecialchars($_POST['email'])),
        $phone = trim(htmlspecialchars($_POST['phone'])),
        $company = trim(htmlspecialchars($_POST['company'])),
        $pdf_downloaded = trim(htmlspecialchars($pdf_downloaded)),
        $page_name = $_POST['page_name'],
    ];

    $template = str_replace($placeholders, $values, file_get_contents("templates/pdf_to_domain.html"));
// Mail subject line goes here

    $_POST['subject'] = 'Subject';
    $_POST['h:Reply-To'] = '[email protected]';
    $_POST['sendTo'] = "[email protected]";
    $to_company = Communication::mail_api($_POST, null, $template, 0);
    /************************ End to Domain ******************************/

    if (!$to_company) {
        $msg = [
            'status_code' => 500,
            'status_message' => 'Email was not sent.'
        ];
    } else {
        $msg = [
            'status_code' => 200,
            'status_message' => 'Check your Email.'
        ];
    }
    echo json_encode($msg);


JS:

$("form#pdfForm").submit(function (form, e) {
     console.log(send);
     if(!send)
     {
         return false;
         console.log("Should never touch this " + send);
     }
    var formData = new FormData(this);

    $.ajax({
        url: 'https://example.com/php',
        type: 'POST',
        data: formData,
        success: function (e) {
            $.LoadingOverlay("hide");
        },
        cache: false,
        contentType: false,
        processData: false
    });
});


Is This A Good Question/Topic? 0
  • +

Replies To: Why is a submission going through without hitting js submit/validation

#2 ArtificialSoldier   User is offline

  • D.I.C Lover
  • member icon

Reputation: 2241
  • View blog
  • Posts: 6,792
  • Joined: 15-January 14

Re: Why is a submission going through without hitting js submit/validation

Posted 05 December 2018 - 12:01 PM

One thing you should assume is that your Javascript is not being executed. It's just submitting the form like a normal form, to the URL you have in the form.

One thing I've done in the past is to use common field names for hidden fields, and the real fields use random strings as names. When the form gets submitted, I check to see if the hidden fields with common names were sent and, if so, reject the submission.
Was This Post Helpful? 0
  • +
  • -

#3 pfar54   User is offline

  • D.I.C Addict

Reputation: 0
  • View blog
  • Posts: 502
  • Joined: 30-April 15

Re: Why is a submission going through without hitting js submit/validation

Posted 05 December 2018 - 12:07 PM

Could you give me an example? Not quite sure if I am following.

The Javascript executes under normal circumstances. My thought was that these spam submissions had JS disabled.
Was This Post Helpful? 0
  • +
  • -

#4 ArtificialSoldier   User is offline

  • D.I.C Lover
  • member icon

Reputation: 2241
  • View blog
  • Posts: 6,792
  • Joined: 15-January 14

Re: Why is a submission going through without hitting js submit/validation

Posted 05 December 2018 - 12:33 PM

Quote

My thought was that these spam submissions had JS disabled.

It's pretty simple software, it parses the form to get things like the action URL and the field names, and it sends a request with the appropriate method to that URL with those field names. Javascript isn't part of that. Maybe some spam software actually has a browser engine to render the actual page but that seems like overkill for most of it when it only needs a URL and the field names.

Quote

Could you give me an example? Not quite sure if I am following.

Have fields like this:

Email: <input type="hidden" name="email"><input type="text" name="djs83jd9">

Since "email" is hidden, if $_POST['email'] was submitted it's probably spam. The real email is in $_POST['djs83jd9'], and the spam software wouldn't know what to fill there based on the field name. You could also use regular text fields and use CSS or Javascript to hide them.
Was This Post Helpful? 0
  • +
  • -

#5 pfar54   User is offline

  • D.I.C Addict

Reputation: 0
  • View blog
  • Posts: 502
  • Joined: 30-April 15

Re: Why is a submission going through without hitting js submit/validation

Posted 05 December 2018 - 12:39 PM

I'll give that a try if the following isn't possible.

There is an id within the form that is generated from SF that is unique to my account. It is stored in the config file and then outputted here:

<input type=hidden name="oid" value="<?php echo $config['oid']; ?>">



Is there a way to make this more "secure", so that the spam isn't able to get it through the DOM?
Was This Post Helpful? 0
  • +
  • -

#6 ArtificialSoldier   User is offline

  • D.I.C Lover
  • member icon

Reputation: 2241
  • View blog
  • Posts: 6,792
  • Joined: 15-January 14

Re: Why is a submission going through without hitting js submit/validation

Posted 05 December 2018 - 02:46 PM

You could add it to the ajax request or otherwise use Javascript to add it to the form prior to submitting.
Was This Post Helpful? 0
  • +
  • -

#7 pfar54   User is offline

  • D.I.C Addict

Reputation: 0
  • View blog
  • Posts: 502
  • Joined: 30-April 15

Re: Why is a submission going through without hitting js submit/validation

Posted 06 December 2018 - 08:47 AM

So in all reality, do you think bots are hitting my site and reading the DOM and collecting the information? I have never had this happen, so I don't really understand it.

Based on your last response, I think I would add it via javascript because the Salesforce submission is not executed through the ajax itself, just the database entry/email notification is executed through it.

Would adding the id with javascript help though? Wouldn't the information still inevitably be there?
Was This Post Helpful? 0
  • +
  • -

#8 ArtificialSoldier   User is offline

  • D.I.C Lover
  • member icon

Reputation: 2241
  • View blog
  • Posts: 6,792
  • Joined: 15-January 14

Re: Why is a submission going through without hitting js submit/validation

Posted 06 December 2018 - 11:22 AM

It would if they execute the Javascript code. But yeah, if this is a value that you need to submit to the server then it has to be somewhere.
Was This Post Helpful? 0
  • +
  • -

#9 pfar54   User is offline

  • D.I.C Addict

Reputation: 0
  • View blog
  • Posts: 502
  • Joined: 30-April 15

Re: Why is a submission going through without hitting js submit/validation

Posted 06 December 2018 - 11:29 AM

The value is submitting through the form post. It isn't being applied to what is sending in the javascript.
Was This Post Helpful? 0
  • +
  • -

#10 pfar54   User is offline

  • D.I.C Addict

Reputation: 0
  • View blog
  • Posts: 502
  • Joined: 30-April 15

Re: Why is a submission going through without hitting js submit/validation

Posted 11 December 2018 - 07:14 AM

If I would add the 'id' in the JS code here:

$("form#pdfForm").submit(function (form, e) {
     //HERE
     console.log(send);
     if(!send)
     {
         return false;
         console.log("Should never touch this " + send);
     }


Would the salesforce id be added to the hidden field before it would submit? I'm unsure of the hierarchy of whether the html form or the javascript submit would take place first.

<input type=hidden name="oid" value="<?php echo $config['oid']; ?>">

Was This Post Helpful? 0
  • +
  • -

#11 ArtificialSoldier   User is offline

  • D.I.C Lover
  • member icon

Reputation: 2241
  • View blog
  • Posts: 6,792
  • Joined: 15-January 14

Re: Why is a submission going through without hitting js submit/validation

Posted 11 December 2018 - 10:54 AM

The Javascript code runs before the form gets submitted.
Was This Post Helpful? 0
  • +
  • -

#12 pfar54   User is offline

  • D.I.C Addict

Reputation: 0
  • View blog
  • Posts: 502
  • Joined: 30-April 15

Re: Why is a submission going through without hitting js submit/validation

Posted 12 December 2018 - 12:48 PM

Alright, so I just tested this and it seems to be working, at least functionality wise. The oid (salesforce unique id) is not appearing in the DOM prior to form submission.

The last thing to check now is to see if bots find a way to attack. I will know by tomorrow.

Thanks
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1