提交简单 PHP 表单时出现禁止错误
我有一个不复杂的问题......这似乎比应有的更复杂。
我有一个简单的表单,用于向网站添加内容。有些字段需要输入html。然而,当您在表单的不同部分输入某些 html 元素时,它会认为它讨厌您并抛出禁止的 403 错误。这是下面的表格:
<?php
$data = f("SELECT * FROM table WHERE id = '{$_GET['id']}'");
?>
<form action="<?=$_SERVER['PHP_SELF']?>?id=<?=$_GET['id']?>&action=edit" method="post">
<table cellspacing="0" cellpadding="2" border="0">
<tr>
<td><b>Title:</b></td>
<td><input type="text" name="title" style="width: 300px;" value="<?=$data['title']?>" /></td>
</tr>
<tr>
<td><b>URL:</b></td>
<td><input type="text" name="url" style="width: 300px;" value="<?=$data['url']?>" /></td>
</tr>
<tr>
<td><b>Sub-Category:</b></td>
<td>
<select name="subCategoryId">
<option value=""></option>
<option value="1">A</option>
<option value="2">B</option>
</select>
</td>
</tr>
<tr>
<td><b>Short Description:</b></td>
<td><textarea name="shortDescription" rows="6" cols="60"><?=$data['shortDescription']?></textarea></td>
</tr>
<tr>
<td><b>Template:</b></td>
<td><textarea name="template" rows="6" cols="60"><?=$data['template']?></textarea></td>
</tr>
<tr>
<td><b>Ads:</b></td>
<td><textarea name="ads" rows="6" cols="60"><?=$data['ads']?></textarea></td>
</tr>
<tr>
<td><b>Keywords:</b></td>
<td><textarea name="keywords" rows="6" cols="60"><?=$data['keywords']?></textarea></td>
</tr>
<tr>
<td><b>Questions:</b></td>
<td><textarea name="questions" rows="6" cols="60"><?=$data['questions']?></textarea></td>
</tr>
<tr>
<td><b>Salary:</b></td>
<td><textarea name="salary" rows="6" cols="60"><?=$data['salary']?></textarea></td>
</tr>
<tr>
<td><b>Jobs:</b></td>
<td><textarea name="jobs" rows="6" cols="60"><?=$data['jobs']?></textarea></td>
</tr>
<tr>
<td><b>Meta Description:</b></td>
<td><input type="text" name="metaDescription" style="width: 300px;" value="<?=$data['metaDescription']?>" /></td>
</tr>
<tr>
<td><b>Meta Keywords:</b></td>
<td><input type="text" name="metaKeywords" style="width: 300px;" value="<?=$data['metaKeywords']?>" /></td>
</tr>
<tr>
<td> </td>
<td><input type="submit" name="submit" value="Edit Job" /></td>
</tr>
</table>
</form>
我还有其他表格遵循相同的模式,没有任何问题。为了进一步使这一点变得更加混乱,只有在文本区域中提供任何 2 个 html 元素时才会抛出此错误(它可以很好地处理 1 个 html 元素)。文本区域是广告、关键字、工资和工作。其他文本区域可以很好地接受它,但这 4 个文本区域则不行。如果我能让这个变得更加混乱,如果我简单地在这些字段中输入文本并保存它,它就可以毫无问题地运行。
为了处理发布数据,我只使用 mysql_real_escape_string() 来处理数据,我不执行 strip_tags() 因为我需要其中的 html。
这是一个奇怪的 apache 错误,可以用 .htaccess 修复吗? PHP 中是否有与此冲突的模块?
--------编辑这里是答案--------
Ben提出了一个很棒的答案,这可能就是问题所在,由于缺乏特权,我无法修复它。因此,我根据 Gerben 给我的想法创建了一个 onsubmit 事件,并编写了以下 javascript。
function awesome() {
elements = document.forms[0].elements;
for(var i = 0; i < elements.length; i++) {
switch(elements[i].name) {
case "ads":
case "shortDescription":
case "template":
case "questions":
case "salary":
case "jobs":
str = elements[i].value;
elements[i].value = str.replace(/</g,"#@!");
break;
}
}
return true;
}
然后在接收端,我做了一个str_replace来替换#@!回到a <这至少让事情成功了。
我骑着马……嘿!
感谢您的帮助。 :)
I have a non complicated issue......that seems to be more complicated than it should be.
I have a simple form that is used to add content to a website. Some of the fields need to have html inputted into them. However, when you input certain html elements into the different parts of the form, it decides that it hates you and throws a forbidden 403 error. Here is the form below:
<?php
$data = f("SELECT * FROM table WHERE id = '{$_GET['id']}'");
?>
<form action="<?=$_SERVER['PHP_SELF']?>?id=<?=$_GET['id']?>&action=edit" method="post">
<table cellspacing="0" cellpadding="2" border="0">
<tr>
<td><b>Title:</b></td>
<td><input type="text" name="title" style="width: 300px;" value="<?=$data['title']?>" /></td>
</tr>
<tr>
<td><b>URL:</b></td>
<td><input type="text" name="url" style="width: 300px;" value="<?=$data['url']?>" /></td>
</tr>
<tr>
<td><b>Sub-Category:</b></td>
<td>
<select name="subCategoryId">
<option value=""></option>
<option value="1">A</option>
<option value="2">B</option>
</select>
</td>
</tr>
<tr>
<td><b>Short Description:</b></td>
<td><textarea name="shortDescription" rows="6" cols="60"><?=$data['shortDescription']?></textarea></td>
</tr>
<tr>
<td><b>Template:</b></td>
<td><textarea name="template" rows="6" cols="60"><?=$data['template']?></textarea></td>
</tr>
<tr>
<td><b>Ads:</b></td>
<td><textarea name="ads" rows="6" cols="60"><?=$data['ads']?></textarea></td>
</tr>
<tr>
<td><b>Keywords:</b></td>
<td><textarea name="keywords" rows="6" cols="60"><?=$data['keywords']?></textarea></td>
</tr>
<tr>
<td><b>Questions:</b></td>
<td><textarea name="questions" rows="6" cols="60"><?=$data['questions']?></textarea></td>
</tr>
<tr>
<td><b>Salary:</b></td>
<td><textarea name="salary" rows="6" cols="60"><?=$data['salary']?></textarea></td>
</tr>
<tr>
<td><b>Jobs:</b></td>
<td><textarea name="jobs" rows="6" cols="60"><?=$data['jobs']?></textarea></td>
</tr>
<tr>
<td><b>Meta Description:</b></td>
<td><input type="text" name="metaDescription" style="width: 300px;" value="<?=$data['metaDescription']?>" /></td>
</tr>
<tr>
<td><b>Meta Keywords:</b></td>
<td><input type="text" name="metaKeywords" style="width: 300px;" value="<?=$data['metaKeywords']?>" /></td>
</tr>
<tr>
<td> </td>
<td><input type="submit" name="submit" value="Edit Job" /></td>
</tr>
</table>
</form>
I have other forms that follow this same pattern without any trouble. To further make this even more confusing, it will only throw this error when any 2 html elements are supplied in the text area (it handles one html element just fine). The text areas are ads, keywords, salaries, and jobs. The other text areas will take it just fine, but these 4 won't. If I can make this one more bit confusing, if I simple enter in text in those fields and save it, it runs without a problem.
To handle the post data, I only use mysql_real_escape_string() to handle the data, I don't do a strip_tags() as I need the html in there.
Is this a weird apache error that can be fixed with .htaccess? Is there a module in PHP that is conflicting with this?
-------EDIT HERE IS THE ANSWER--------
Ben brought up a fantastic answer that is probably the problem and I cannot fix it because of a lack of privileges. So I created an onsubmit event from an idea that Gerben gave me and wrote the following javascript.
function awesome() {
elements = document.forms[0].elements;
for(var i = 0; i < elements.length; i++) {
switch(elements[i].name) {
case "ads":
case "shortDescription":
case "template":
case "questions":
case "salary":
case "jobs":
str = elements[i].value;
elements[i].value = str.replace(/</g,"#@!");
break;
}
}
return true;
}
Then on the receiving end, I did a str_replace to replace #@! back to a < and that at least made the thing work.
I'm on a horse....hyaa!
Thanks for all your help. :)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(7)
鉴于您能够发帖,并且您的后期处理显然非常简单,因此不太可能抛出 403 错误或重定向到禁止的目录,我将冒险猜测您正在运行 apache 级别防火墙。查看您的 apache 配置文件,并检查您是否正在运行 mod_security 或加载的任何其他防火墙模块。有多种方法可以配置 mod_security,包括扫描 POST 数据中的 html 内容并做出相应的反应。如果配置为防止 html 注入,这可能是您的问题(请参阅此处的配置详细信息:http:// www.modsecurity.org/projects/modsecurity/apache/feature_content_injection.html)。
要测试这一点,请尝试将 htaccess 文件添加到您的 Web 根目录中(假设您可以使用 htaccess 覆盖 apache 设置)并设置:
重新启动 apache,然后查看它是否仍然发生。
如果这是共享主机,或者您无法修改 apache 设置,您可以尝试使用 javascript 在提交(onsubmit)之前对所有数据进行base64编码,然后在处理它的php脚本中进行base64_decode($_POST[key])。
Given that you're able to post, and that your post-handling is apparently extremely simple and so unlikely to be throwing 403 errors or redirecting to forbidden directories, I'm going to hazard a guess that you're running an apache-level firewall. Have a look at your apache config files, and check to see if you're running mod_security or any other firewall module loaded. There are a number of ways mod_security can be configured, including scanning POST data for html content and reacting accordingly. If it is configured to prevent html injection, this may be your issue (see configuration details here: http://www.modsecurity.org/projects/modsecurity/apache/feature_content_injection.html).
To test this, try adding an htaccess file into your web root (assuming you're allowed to override apache settings with htaccess) and setting:
Restart apache and then see if it's still happening.
If this is a shared host, or you otherwise don't have the ability to modify apache settings, you can try a workaround using javascript that base64 encodes all the data before submitting (onsubmit), and then base64_decode($_POST[key]) in the php script that processes it.
使用此代码我认为这解决了您的问题
Use This Code I Think This Solved Your Problem
将其添加到我的 htaccess 文件后问题就解决了。
after add this on my htaccess file the problem solve.
刚刚提交时遇到了同样的问题,显示 403 错误,但对我来说这很简单,因为表单太大,触发了 mod_security 规则。
还值得增加 php.ini
post_max_size并使用以下命令测试大小:$_SERVER['CONTENT_LENGTH']Just had the same sort of issue on submit showed 403 error but for me it was simple because the form was too big triggering a rule on mod_security.
Also worth increasing php.ini
post_max_sizeand test size using:$_SERVER['CONTENT_LENGTH']就我而言,在 cPanel 中禁用 MOD 安全性解决了我的问题。
In my case, disabling MOD security in cPanel solved the issue for me.
可能有点晚了,但我今天在尝试通过 POST 提交表单时遇到了类似的问题。它不允许我提交带有链接的文本,并且会抛出 403 Forbidden Acess Denied 错误。
禁用 modsecurity(我从控制面板执行此操作)解决了它!
Might be abit late, but I faced a similar problem today while trying to submit a form through POST. It would not allow me to submit a text with a link and would throw a 403 Forbidden Acess Denied error.
Disabling modsecurity (I did this from the control panel) solved it!
该问题是由 Apache Firewall mod 引起的,如果您无法或不想编辑 httpd.conf,也可以通过 .htaccess 文件修复该问题。
在调用脚本的目录(通常是index.php所在的目录)中创建或编辑现有的.htaccess文件,并添加以下行:
The issue is caused by the Apache Firewall mod, it can also be fixed via .htaccess file if you cannot or dont want to edit the httpd.conf.
Create or edit the existing .htaccess file in the directory where the script is called (usually where the index.php is) and add the following lines: