-   Programming (
-   -   HTML POST form gets 403 with certain characters in input (

Snark1994 05-29-2012 12:40 PM

HTML POST form gets 403 with certain characters in input
I have the following html form:

PHP Code:

        <?php if(isset($_POST['areas']) && !empty($_POST['areas'])){
'Got: ' $_POST['areas'] . '<br/>';
        } else { 
                <form method="post" enctype="multipart/form-data" action="test.php">
                        <textarea name="areas" rows="5" cols="80"></textarea>
        <?php ?>

saved as test.php.

When I give it the input "<b>Test</b>" I get "Got: Test" as expected, but when I give it "<b>Test</b><!--comment-->" I get a 403 error. If I copy and paste the URL which is giving the 403 error I get (as expected) the form shown above.

I've heard tell that this is something to do with mod_security, but I won't be able to edit that (being on shared hosting). Is there any workaround that people know of?


bertlef 05-30-2012 12:13 AM

Couple of minor corrections:
You are closing the </body> tag twice
This code is missing at least the submit button.

It seams to be that mod_security can be overridden in .htaccess

<IfModule mod_security.c>
        # Turn off mod_security filtering.  SMF is a big boy, it doesn't need its hands held.
        SecFilterEngine Off

        # The below probably isn't needed, but better safe than sorry.
        SecFilterScanPOST Off

I don't have mod_security in my computer and it works fine here for which I can't really reproduce the error at the moment.

Snark1994 05-30-2012 11:33 AM

Thanks for your suggestions - you're absolutely right about your corrections, woops!

Unfortunately, changing the .htaccess does nothing - and if I remove the "IfModule" tags, it gives an internal server error, which suggests to me that mod_security isn't being used and hence isn't the cause of my problems.

As you say, it works find on my local apache server, as well as on a different website (and different hosting provider), just not this web hosting. I think I'll get in touch with them to ask them if they can help. Cthulhu help me, with their support procedures *eyeroll*

bertlef 05-30-2012 12:02 PM

That sure sounds like a problem in their server, it is better to just confirm with them, if not, we'll keep on trying ;)

Good luck with them.

Snark1994 05-30-2012 12:35 PM

I got the following response back:


On checking the apache error logs, I can see mod_security errors. The mod_security was blocking the HTTP POST as it thinks it is a possible injection to the site. I have disabled the mod_security settings for the domain to fix the issue.
So yeah, looks like it was mod_security (the internal server errors were presumably caused by some restriction on disabling mod_security). Everything now works as we expected. Thanks for your help, bertlef ;)

All times are GMT -5. The time now is 07:35 AM.