I am going nuts trying to figure out why FormIt is still sending an email when I am trying to run a custom validation and the validation hits a ‘fail’ condition. Even after the snippet runs, the email is sent. I am still new to ModX, FormIt, Fred, etc… but have looked all over to no avail.
Example:
I created a simple form for a client but now getting #$%^ spamming. FormIt’s Recaptcha never works, math option is silly so I am trying to validate on a session variable to determine if the person is submitting from the page form or not. Disclosure: I am not a hacker so I am not 100% sure how the idiots who are spamming the form are doing it but assumed this would work as the session needs to be set and validated on the page load. I have used this method many times on regular forms on sites (not ModX/FormIt). I like FormIt as it can easily store the contact form data for my client without having to write all this manually.
- I have a one page, simple website.
- I do not redirect to a new page to actually submit. Just the generic FormIt POST and email send process.
- I use a snippet to set the session variable right as the page loads. [[burninglog]]
- If I submit the form as a ‘human’ using the form on the page, everything works fine. I also validated that the session value is being set and validated.
<?php session_start(); // Set a 'burning log' in that the user must come to this page first and cannot go directly to the // newsletter processing page. Prevents spambots and form harvesters from trying to force a form // submission directly from the processing page. $_SESSION['burning_log'] = "myvalue";
On the FormIt contact form, I declare my snippet called aspamhook. All works fine and the snippet gets called on submission.
[[!FormIt? &hooks=`spam, email, redirect, FormItSaveForm, aspamhook`
Next, the aspamhook snippet runs and I intentionally try to not match the known session value. And the logic does direct to the ‘false’ else condition.
<?php //$modx->log(xPDO::LOG_LEVEL_ERROR,'Testing snippet hook.'); $MyBurningLog = $_SESSION['burning_log']; if ($MyBurningLog == "notmyvalue") { //echo "Session found."; $modx->log(xPDO::LOG_LEVEL_INFO, $_SESSION[$MyBurningLog]); return true; //<-- if you omit this or return false, your form won't validate } else { //die("No user session found. Possible spambot form submission. <a href='/index.php'>Return to homepage.</a>"); $modx->log(xPDO::LOG_LEVEL_INFO, $_SESSION['burning_log']); $modx->log(xPDO::LOG_LEVEL_INFO, $MyBurningLog); header("Location: /form-error-page.html"); return false; }
As you can see, I tried writing to the logs just for sanity but that does not write anything. So, I do get the proper redirect to the form-error-page.html page just fine. But the $%^& email still gets sent!! I do realize that if I put the return false ahead of the redirect that the redirect would not fire. And that any commands after the redirect will not fire either.
One of the big issues is that the form fields are at the bottom of my client’s one page site. So any failure conditions return the user to the top of the page and they do not see any of the errors messages I could throw on the fields themselves.
What obvious thing am I missing to not have the email sent on a validation failure?!?! Thanks in advance.
