Forbidden错误当提交简单的PHP表单 [英] Forbidden Error When Submitting Simple PHP Form

问题描述

我有一个不复杂的问题......这似乎是更复杂的比它应该是。

I have a non complicated issue......that seems to be more complicated than it should be.

我有一个用于将内容添加到网站的简单形式。某些字段必须的HTML输入到它们。但是，当您输入某些HTML元素融入到形式的不同部位，它决定了它恨你，并抛出一个禁止403错误。这是下面的表格：

I have a simple form that is used to add content to a website. Some of the fields need to have html inputted into them. However, when you input certain html elements into the different parts of the form, it decides that it hates you and throws a forbidden 403 error. Here is the form below:

<?php
    $data = f("SELECT * FROM table WHERE id = '{$_GET['id']}'");
?>
<form action="<?=$_SERVER['PHP_SELF']?>?id=<?=$_GET['id']?>&action=edit" method="post">
    <table cellspacing="0" cellpadding="2" border="0">
        <tr>
            <td><b>Title:</b></td>
            <td><input type="text" name="title" style="width: 300px;" value="<?=$data['title']?>" /></td>
        </tr>
        <tr>
            <td><b>URL:</b></td>
            <td><input type="text" name="url" style="width: 300px;" value="<?=$data['url']?>" /></td>
        </tr>
        <tr>
            <td><b>Sub-Category:</b></td>
            <td>
                <select name="subCategoryId">
                    <option value=""></option>
                    <option value="1">A</option>
                    <option value="2">B</option>

                </select>
            </td>
        </tr>
        <tr>
            <td><b>Short Description:</b></td>
            <td><textarea name="shortDescription" rows="6" cols="60"><?=$data['shortDescription']?></textarea></td>
        </tr>
        <tr>
            <td><b>Template:</b></td>
            <td><textarea name="template" rows="6" cols="60"><?=$data['template']?></textarea></td>
        </tr>
        <tr>
            <td><b>Ads:</b></td>
            <td><textarea name="ads" rows="6" cols="60"><?=$data['ads']?></textarea></td>
        </tr>
        <tr>
            <td><b>Keywords:</b></td>
            <td><textarea name="keywords" rows="6" cols="60"><?=$data['keywords']?></textarea></td>
        </tr>
        <tr>
            <td><b>Questions:</b></td>
            <td><textarea name="questions" rows="6" cols="60"><?=$data['questions']?></textarea></td>
        </tr>
        <tr>
            <td><b>Salary:</b></td>
            <td><textarea name="salary" rows="6" cols="60"><?=$data['salary']?></textarea></td>
        </tr>
        <tr>
            <td><b>Jobs:</b></td>
            <td><textarea name="jobs" rows="6" cols="60"><?=$data['jobs']?></textarea></td>
        </tr>
        <tr>
            <td><b>Meta Description:</b></td>
            <td><input type="text" name="metaDescription" style="width: 300px;" value="<?=$data['metaDescription']?>" /></td>
        </tr>
        <tr>
            <td><b>Meta Keywords:</b></td>
            <td><input type="text" name="metaKeywords" style="width: 300px;" value="<?=$data['metaKeywords']?>" /></td>
        </tr>
        <tr>
            <td>&nbsp;</td>
            <td><input type="submit" name="submit" value="Edit Job" /></td>
        </tr>
    </table>
</form>

我有其他形式遵循同样的模式，没有任何麻烦。为了进一步使这更混乱，只会当任何2 HTML元素在文本区域供给抛出这个错误（它处理一个HTML元素就好了）。文本区是广告，关键字，薪水和就业机会。其他的文本区域将采取它就好了，但是这4个不会。如果我可以让这个更有点混乱，如果我在这些领域的文字简单的输入并保存它，它运行不会有问题。

I have other forms that follow this same pattern without any trouble. To further make this even more confusing, it will only throw this error when any 2 html elements are supplied in the text area (it handles one html element just fine). The text areas are ads, keywords, salaries, and jobs. The other text areas will take it just fine, but these 4 won't. If I can make this one more bit confusing, if I simple enter in text in those fields and save it, it runs without a problem.

要处理的数据后，我只用mysql_real_escape_string（）来处理数据，我不要做一个用strip_tags（），因为我需要的HTML在那里。

To handle the post data, I only use mysql_real_escape_string() to handle the data, I don't do a strip_tags() as I need the html in there.

这是一个奇怪的Apache的错误，可以固定的.htaccess？有没有在PHP模块是相互矛盾的这个吗？

Is this a weird apache error that can be fixed with .htaccess? Is there a module in PHP that is conflicting with this?

-------编辑在这里是答案--------

-------EDIT HERE IS THE ANSWER--------

本带来了一个梦幻般的答案，也可能是问题，我无法修复，因为缺乏特权吧。所以，我创建了一个onsubmit事件从一个想法，戈给了我，并写了下面的JavaScript。

Ben brought up a fantastic answer that is probably the problem and I cannot fix it because of a lack of privileges. So I created an onsubmit event from an idea that Gerben gave me and wrote the following javascript.

function awesome() {
        elements = document.forms[0].elements;
        for(var i = 0; i < elements.length; i++) {
            switch(elements[i].name) {
                case "ads":
                case "shortDescription":
                case "template":
                case "questions":
                case "salary":
                case "jobs":
                    str = elements[i].value;
                    elements[i].value = str.replace(/</g,"#@!");
                    break;
            }
        }
        return true;    
    }

然后在接收端，我做了一个str_replace函数来代替＃@！回与＆lt;并且至少所作的事工作

Then on the receiving end, I did a str_replace to replace #@! back to a < and that at least made the thing work.

我在马.... hyaa！

I'm on a horse....hyaa!

感谢您的帮助。 ：）

推荐答案

既然你能发布，你的后处理显然是非常简单的，因此不太可能抛出403错误或重定向到禁止目录，我要大胆地说，你正在运行一个apache级别的防火墙猜测。有一个在你的Apache配置文件，并查看如果你正在运行的mod_security或任何其他防火墙模块加载。有多种方式的mod_security可以被配置，包括扫描POST数据为html内容，并相应地进行反应。如果它被配置为prevent HTML注入，这可能是你的问题（见的配置细节在这里：的http://www.modsecurity.org/projects/modsecurity/apache/feature_content_injection.html).

Given that you're able to post, and that your post-handling is apparently extremely simple and so unlikely to be throwing 403 errors or redirecting to forbidden directories, I'm going to hazard a guess that you're running an apache-level firewall. Have a look at your apache config files, and check to see if you're running mod_security or any other firewall module loaded. There are a number of ways mod_security can be configured, including scanning POST data for html content and reacting accordingly. If it is configured to prevent html injection, this may be your issue (see configuration details here: http://www.modsecurity.org/projects/modsecurity/apache/feature_content_injection.html).

要测试此，尝试添加一个htaccess文件到您的Web根目录（假设你允许覆盖与htaccess的apache的设置），并设置：

To test this, try adding an htaccess file into your web root (assuming you're allowed to override apache settings with htaccess) and setting:

SecFilterEngine Off

重启apache，然后看它是否仍然发生。

Restart apache and then see if it's still happening.

如果这是一个共享的主机，或你，否则不必修改Apache的设置的功能，可以使用JavaScript代码的的base64恩codeS提交（onsubmit的）前的所有数据，然后base64_de code（$ _ POST [关键]）在处理它的PHP脚本。

If this is a shared host, or you otherwise don't have the ability to modify apache settings, you can try a workaround using javascript that base64 encodes all the data before submitting (onsubmit), and then base64_decode($_POST[key]) in the php script that processes it.

这篇关于Forbidden错误当提交简单的PHP表单的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！