I've ran into a little problem.

我遇到了一个小问题。

I have a form which submits data to a database. All has worked perfectly until today discovered a little bug which I can not get my head around.

我有一个表单，它将数据提交到数据库。一切都运行良好，直到今天发现了一个我无法理解的小虫子。

If I input the word "and" followed by a numeric character (EG: "and 10") I get a 403 forbidden error saying

如果我输入单词“and”后跟一个数字字符（EG：“和10”），我会收到403禁止错误说

You don't have permission to access /index.php on this server.

您无权访问此服务器上的/index.php。

Additionally, a 403 Forbidden error was encountered while trying to use an >ErrorDocument to handle the request.

此外，尝试使用> ErrorDocument处理请求时遇到403 Forbidden错误。

I have cleaning on the form inputs, this is the function for cleaning

我在表格输入上清洁，这是清洁功能

function make_safe($variable) {
    $variable = mysql_real_escape_string(trim($variable));
    return $variable;
}

I've tried it with and without the cleaning. Anyone any ideas on what may cause this error? I can't actually get anything from the error log because nothing is being put in there..

我已经尝试过，有没有清洁。任何有关可能导致此错误的想法？我实际上无法从错误日志中获取任何内容，因为没有任何内容放在那里。

Edit: Full code below (Please note this is a very old project which has worked for years and this bug has only just been found!)

编辑：下面的完整代码（请注意这是一个非常古老的项目已经工作了多年，这个bug刚刚被发现！）

<?php
checksecurity(ABSENCE_ADD);

if(isset($_POST['submit'])) {
$todate = make_safe($_POST['dateto']);
$fromdate = make_safe($_POST['datefrom']);
$reason = make_safe($_POST['reason']);
$comments = make_safe($_POST['comments']);
$date1 = str_replace("/","-",$fromdate);
$newDate1 = date("Y-m-d", strtotime($date1));
$date2 = str_replace("/","-",$todate);
$newDate2 = date("Y-m-d", strtotime($date2));
$username = $_SESSION['username'];
$query_user = mysql_query("SELECT * FROM users WHERE username='{$_SESSION['username']}'");
while($row = mysql_fetch_array($query_user)) {
$userid = $row['id'];
if(empty($todate) || empty($fromdate) || empty($reason)) {
    echo' You left out a field';
} else {
$query = "INSERT INTO `absences` (`id`, `fromdate`, `todate`, `reason`, `comments`, `username`, `userid` ) VALUES (NULL, '" . $newDate1 . "', '" . $newDate2 . "', '" . $reason . "', '" . $comments . "', '" . $username . "', '" . $userid . "')";
$hello = mysql_query($query) or die(mysql_error());
print $query;
                        } 

}                       
} else {
?>
<form id="form" name="form" method="post" action="#">
<table width="820" border="0" cellspacing="0" cellpadding="0" class="content">
  <thead>
<tr>
    <th width="820" colspan="4"><strong>Request Absence</strong></th>
  </tr>
</thead>
<tr>
<td>From (dd/mm/yyyy)</td>
<td><input name="datefrom" class="tcal"/></td>
<td>To (dd/mm/yyyy)</td>
<td><input name="dateto" class="tcal" /></td>
</tr>
<tr>
<td>Reason</td>
<td><select name="reason"> 
    <option value="Illness/Injury">Illness/Injury</option>  
    <option value="Holiday">Holiday</option>
    <option value="Family Engagement">Family Engagement</option>
    <option value="School or College Commitment">School or College Commitment</option>
<option value="Employment Commitment">Employment Commitment</option>
<option value="Other">Other</option>
</select> </td>
<td>Comments</td>
<td><input name="comments" type="text" /></td>
</tr>
</table><br />
<input type="submit" name="submit" value="Add" /> <input type="reset" name="reset" value="Reset" /> 
</form>
<?
}


?>

1 个解决方案

#1

---