I've ran into a little problem.
我遇到了一个小问题。
I have a form which submits data to a database. All has worked perfectly until today discovered a little bug which I can not get my head around.
我有一个表单,它将数据提交到数据库。一切都运行良好,直到今天发现了一个我无法理解的小虫子。
If I input the word "and" followed by a numeric character (EG: "and 10") I get a 403 forbidden error saying
如果我输入单词“and”后跟一个数字字符(EG:“和10”),我会收到403禁止错误说
You don't have permission to access /index.php on this server.
您无权访问此服务器上的/index.php。
Additionally, a 403 Forbidden error was encountered while trying to use an >ErrorDocument to handle the request.
此外,尝试使用> ErrorDocument处理请求时遇到403 Forbidden错误。
I have cleaning on the form inputs, this is the function for cleaning
我在表格输入上清洁,这是清洁功能
function make_safe($variable) {
$variable = mysql_real_escape_string(trim($variable));
return $variable;
}
I've tried it with and without the cleaning. Anyone any ideas on what may cause this error? I can't actually get anything from the error log because nothing is being put in there..
我已经尝试过,有没有清洁。任何有关可能导致此错误的想法?我实际上无法从错误日志中获取任何内容,因为没有任何内容放在那里。
Edit: Full code below (Please note this is a very old project which has worked for years and this bug has only just been found!)
编辑:下面的完整代码(请注意这是一个非常古老的项目已经工作了多年,这个bug刚刚被发现!)
<?php
checksecurity(ABSENCE_ADD);
if(isset($_POST['submit'])) {
$todate = make_safe($_POST['dateto']);
$fromdate = make_safe($_POST['datefrom']);
$reason = make_safe($_POST['reason']);
$comments = make_safe($_POST['comments']);
$date1 = str_replace("/","-",$fromdate);
$newDate1 = date("Y-m-d", strtotime($date1));
$date2 = str_replace("/","-",$todate);
$newDate2 = date("Y-m-d", strtotime($date2));
$username = $_SESSION['username'];
$query_user = mysql_query("SELECT * FROM users WHERE username='{$_SESSION['username']}'");
while($row = mysql_fetch_array($query_user)) {
$userid = $row['id'];
if(empty($todate) || empty($fromdate) || empty($reason)) {
echo' You left out a field';
} else {
$query = "INSERT INTO `absences` (`id`, `fromdate`, `todate`, `reason`, `comments`, `username`, `userid` ) VALUES (NULL, '" . $newDate1 . "', '" . $newDate2 . "', '" . $reason . "', '" . $comments . "', '" . $username . "', '" . $userid . "')";
$hello = mysql_query($query) or die(mysql_error());
print $query;
}
}
} else {
?>
<form id="form" name="form" method="post" action="#">
<table width="820" border="0" cellspacing="0" cellpadding="0" class="content">
<thead>
<tr>
<th width="820" colspan="4"><strong>Request Absence</strong></th>
</tr>
</thead>
<tr>
<td>From (dd/mm/yyyy)</td>
<td><input name="datefrom" class="tcal"/></td>
<td>To (dd/mm/yyyy)</td>
<td><input name="dateto" class="tcal" /></td>
</tr>
<tr>
<td>Reason</td>
<td><select name="reason">
<option value="Illness/Injury">Illness/Injury</option>
<option value="Holiday">Holiday</option>
<option value="Family Engagement">Family Engagement</option>
<option value="School or College Commitment">School or College Commitment</option>
<option value="Employment Commitment">Employment Commitment</option>
<option value="Other">Other</option>
</select> </td>
<td>Comments</td>
<td><input name="comments" type="text" /></td>
</tr>
</table><br />
<input type="submit" name="submit" value="Add" /> <input type="reset" name="reset" value="Reset" />
</form>
<?
}
?>
1 个解决方案
#1
0
Does your code ever emit this error message? It has exactly the same wording as the default error message returned by Apache. I suspect you are seeing an Apache error message here - in which case, the request is never getting as far as your PHP code. If that is the case, then the question is off-topic here.
您的代码是否会发出此错误消息?它与Apache返回的默认错误消息具有完全相同的措辞。我怀疑你在这里看到一条Apache错误消息 - 在这种情况下,请求永远不会像你的PHP代码那样。如果是这种情况,那么问题就在这里。
The most likely cause is that you have a very overzealous WAF (mod_security?) configured which is mistaking your request for an SQL injection attack.
最可能的原因是你配置了一个非常过分热心的WAF(mod_security?),这会误认你的SQL注入攻击请求。
#1
0
Does your code ever emit this error message? It has exactly the same wording as the default error message returned by Apache. I suspect you are seeing an Apache error message here - in which case, the request is never getting as far as your PHP code. If that is the case, then the question is off-topic here.
您的代码是否会发出此错误消息?它与Apache返回的默认错误消息具有完全相同的措辞。我怀疑你在这里看到一条Apache错误消息 - 在这种情况下,请求永远不会像你的PHP代码那样。如果是这种情况,那么问题就在这里。
The most likely cause is that you have a very overzealous WAF (mod_security?) configured which is mistaking your request for an SQL injection attack.
最可能的原因是你配置了一个非常过分热心的WAF(mod_security?),这会误认你的SQL注入攻击请求。