提交简单的 PHP 表单时出现禁止错误 [英] Forbidden Error When Submitting Simple PHP Form

问题描述

我有一个不复杂的问题......似乎比它应该的更复杂.

I have a non complicated issue......that seems to be more complicated than it should be.

我有一个简单的表单，用于向网站添加内容.某些字段需要输入 html.但是，当您将某些 html 元素输入表单的不同部分时，它会认为它讨厌您并抛出禁止的 403 错误.表格如下:

I have a simple form that is used to add content to a website. Some of the fields need to have html inputted into them. However, when you input certain html elements into the different parts of the form, it decides that it hates you and throws a forbidden 403 error. Here is the form below:

<?php
    $data = f("SELECT * FROM table WHERE id = '{$_GET['id']}'");
?>
<form action="<?=$_SERVER['PHP_SELF']?>?id=<?=$_GET['id']?>&action=edit" method="post">
    <table cellspacing="0" cellpadding="2" border="0">
        <tr>
            <td><b>Title:</b></td>
            <td><input type="text" name="title" style="width: 300px;" value="<?=$data['title']?>" /></td>
        </tr>
        <tr>
            <td><b>URL:</b></td>
            <td><input type="text" name="url" style="width: 300px;" value="<?=$data['url']?>" /></td>
        </tr>
        <tr>
            <td><b>Sub-Category:</b></td>
            <td>
                <select name="subCategoryId">
                    <option value=""></option>
                    <option value="1">A</option>
                    <option value="2">B</option>

                </select>
            </td>
        </tr>
        <tr>
            <td><b>Short Description:</b></td>
            <td><textarea name="shortDescription" rows="6" cols="60"><?=$data['shortDescription']?></textarea></td>
        </tr>
        <tr>
            <td><b>Template:</b></td>
            <td><textarea name="template" rows="6" cols="60"><?=$data['template']?></textarea></td>
        </tr>
        <tr>
            <td><b>Ads:</b></td>
            <td><textarea name="ads" rows="6" cols="60"><?=$data['ads']?></textarea></td>
        </tr>
        <tr>
            <td><b>Keywords:</b></td>
            <td><textarea name="keywords" rows="6" cols="60"><?=$data['keywords']?></textarea></td>
        </tr>
        <tr>
            <td><b>Questions:</b></td>
            <td><textarea name="questions" rows="6" cols="60"><?=$data['questions']?></textarea></td>
        </tr>
        <tr>
            <td><b>Salary:</b></td>
            <td><textarea name="salary" rows="6" cols="60"><?=$data['salary']?></textarea></td>
        </tr>
        <tr>
            <td><b>Jobs:</b></td>
            <td><textarea name="jobs" rows="6" cols="60"><?=$data['jobs']?></textarea></td>
        </tr>
        <tr>
            <td><b>Meta Description:</b></td>
            <td><input type="text" name="metaDescription" style="width: 300px;" value="<?=$data['metaDescription']?>" /></td>
        </tr>
        <tr>
            <td><b>Meta Keywords:</b></td>
            <td><input type="text" name="metaKeywords" style="width: 300px;" value="<?=$data['metaKeywords']?>" /></td>
        </tr>
        <tr>
            <td>&nbsp;</td>
            <td><input type="submit" name="submit" value="Edit Job" /></td>
        </tr>
    </table>
</form>

我有其他形式也遵循相同的模式，没有任何问题.为了进一步使这更加混乱，它只会在文本区域中提供任何 2 个 html 元素时抛出此错误(它可以很好地处理一个 html 元素).文本区域是广告、关键字、工资和工作.其他文本区域会很好，但这 4 个不会.如果我能让这更令人困惑，如果我简单地在这些字段中输入文本并保存它，它就可以毫无问题地运行.

I have other forms that follow this same pattern without any trouble. To further make this even more confusing, it will only throw this error when any 2 html elements are supplied in the text area (it handles one html element just fine). The text areas are ads, keywords, salaries, and jobs. The other text areas will take it just fine, but these 4 won't. If I can make this one more bit confusing, if I simple enter in text in those fields and save it, it runs without a problem.

为了处理post数据，我只使用mysql_real_escape_string()来处理数据，我没有做strip_tags()，因为我需要那里的html.

To handle the post data, I only use mysql_real_escape_string() to handle the data, I don't do a strip_tags() as I need the html in there.

这是一个可以用 .htaccess 修复的奇怪的 apache 错误吗?PHP 中是否有与此冲突的模块?

Is this a weird apache error that can be fixed with .htaccess? Is there a module in PHP that is conflicting with this?

-------编辑这里是答案--------

-------EDIT HERE IS THE ANSWER--------

Ben 提出了一个很棒的答案，这可能是问题所在，由于缺乏特权，我无法修复它.所以我根据 Gerben 给我的想法创建了一个 onsubmit 事件并编写了以下 javascript.

Ben brought up a fantastic answer that is probably the problem and I cannot fix it because of a lack of privileges. So I created an onsubmit event from an idea that Gerben gave me and wrote the following javascript.

function awesome() {
        elements = document.forms[0].elements;
        for(var i = 0; i < elements.length; i++) {
            switch(elements[i].name) {
                case "ads":
                case "shortDescription":
                case "template":
                case "questions":
                case "salary":
                case "jobs":
                    str = elements[i].value;
                    elements[i].value = str.replace(/</g,"#@!");
                    break;
            }
        }
        return true;    
    }

然后在接收端，我做了一个str_replace来替换#@！回到一个 <这至少使事情奏效了.

Then on the receiving end, I did a str_replace to replace #@! back to a < and that at least made the thing work.

我在骑马....hyaa！

I'm on a horse....hyaa!

感谢您的帮助.:)

推荐答案

鉴于您能够发帖，并且您的发帖处理显然非常简单，因此不太可能抛出 403 错误或重定向到禁止的目录，我将冒险猜测您正在运行 apache 级别的防火墙.查看您的 apache 配置文件，并检查您是否正在运行 mod_security 或任何其他加载的防火墙模块.可以通过多种方式配置 mod_security，包括扫描 POST 数据以获取 html 内容并做出相应的反应.如果它配置为防止 html 注入，这可能是您的问题(请参阅此处的配置详细信息:http://www.modsecurity.org/projects/modsecurity/apache/feature_content_injection.html).

Given that you're able to post, and that your post-handling is apparently extremely simple and so unlikely to be throwing 403 errors or redirecting to forbidden directories, I'm going to hazard a guess that you're running an apache-level firewall. Have a look at your apache config files, and check to see if you're running mod_security or any other firewall module loaded. There are a number of ways mod_security can be configured, including scanning POST data for html content and reacting accordingly. If it is configured to prevent html injection, this may be your issue (see configuration details here: http://www.modsecurity.org/projects/modsecurity/apache/feature_content_injection.html).

要对此进行测试，请尝试将 htaccess 文件添加到您的 Web 根目录中(假设您可以使用 htaccess 覆盖 apache 设置)并设置:

To test this, try adding an htaccess file into your web root (assuming you're allowed to override apache settings with htaccess) and setting:

SecFilterEngine Off

重启apache，然后看看它是否仍然发生.

Restart apache and then see if it's still happening.

如果这是共享主机，或者您无法修改 apache 设置，您可以尝试使用 base64 在提交(onsubmit)之前对所有数据进行编码，然后在处理它的 php 脚本中使用 base64_decode($_POST[key]).

If this is a shared host, or you otherwise don't have the ability to modify apache settings, you can try a workaround using javascript that base64 encodes all the data before submitting (onsubmit), and then base64_decode($_POST[key]) in the php script that processes it.

这篇关于提交简单的 PHP 表单时出现禁止错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！