I have a non complicated issue......that seems to be more complicated than it should be.
I have a simple form that is used to add content to a website. Some of the fields need to have html inputted into them. However, when you input certain html elements into the different parts of the form, it decides that it hates you and throws a forbidden 403 error. Here is the form below:
<?php
$data = f("SELECT * FROM table WHERE id = '{$_GET['id']}'");
?>
<form action="<?=$_SERVER['PHP_SELF']?>?id=<?=$_GET['id']?>&action=edit" method="post">
<table cellspacing="0" cellpadding="2" border="0">
<tr>
<td><b>Title:</b></td>
<td><input type="text" name="title" style="width: 300px;" value="<?=$data['title']?>" /></td>
</tr>
<tr>
<td><b>URL:</b></td>
<td><input type="text" name="url" style="width: 300px;" value="<?=$data['url']?>" /></td>
</tr>
<tr>
<td><b>Sub-Category:</b></td>
<td>
<select name="subCategoryId">
<option value=""></option>
<option value="1">A</option>
<option value="2">B</option>
</select>
</td>
</tr>
<tr>
<td><b>Short Description:</b></td>
<td><textarea name="shortDescription" rows="6" cols="60"><?=$data['shortDescription']?></textarea></td>
</tr>
<tr>
<td><b>Template:</b></td>
<td><textarea name="template" rows="6" cols="60"><?=$data['template']?></textarea></td>
</tr>
<tr>
<td><b>Ads:</b></td>
<td><textarea name="ads" rows="6" cols="60"><?=$data['ads']?></textarea></td>
</tr>
<tr>
<td><b>Keywords:</b></td>
<td><textarea name="keywords" rows="6" cols="60"><?=$data['keywords']?></textarea></td>
</tr>
<tr>
<td><b>Questions:</b></td>
<td><textarea name="questions" rows="6" cols="60"><?=$data['questions']?></textarea></td>
</tr>
<tr>
<td><b>Salary:</b></td>
<td><textarea name="salary" rows="6" cols="60"><?=$data['salary']?></textarea></td>
</tr>
<tr>
<td><b>Jobs:</b></td>
<td><textarea name="jobs" rows="6" cols="60"><?=$data['jobs']?></textarea></td>
</tr>
<tr>
<td><b>Meta Description:</b></td>
<td><input type="text" name="metaDescription" style="width: 300px;" value="<?=$data['metaDescription']?>" /></td>
</tr>
<tr>
<td><b>Meta Keywords:</b></td>
<td><input type="text" name="metaKeywords" style="width: 300px;" value="<?=$data['metaKeywords']?>" /></td>
</tr>
<tr>
<td> </td>
<td><input type="submit" name="submit" value="Edit Job" /></td>
</tr>
</table>
</form>
I have other forms that follow this same pattern without any trouble. To further make this even more confusing, it will only throw this error when any 2 html elements are supplied in the text area (it handles one html element just fine). The text areas are ads, keywords, salaries, and jobs. The other text areas will take it just fine, but these 4 won't. If I can make this one more bit confusing, if I simple enter in text in those fields and save it, it runs without a problem.
To handle the post data, I only use mysql_real_escape_string() to handle the data, I don't do a strip_tags() as I need the html in there.
Is this a weird apache error that can be fixed with .htaccess? Is there a module in PHP that is conflicting with this?
-------EDIT HERE IS THE ANSWER--------
Ben brought up a fantastic answer that is probably the problem and I cannot fix it because of a lack of privileges. So I created an onsubmit event from an idea that Gerben gave me and wrote the following javascript.
function awesome() {
elements = document.forms[0].elements;
for(var i = 0; i < elements.length; i++) {
switch(elements[i].name) {
case "ads":
case "shortDescription":
case "template":
case "questions":
case "salary":
case "jobs":
str = elements[i].value;
elements[i].value = str.replace(/</g,"##!");
break;
}
}
return true;
}
Then on the receiving end, I did a str_replace to replace ##! back to a < and that at least made the thing work.
I'm on a horse....hyaa!
Thanks for all your help. :)
Given that you're able to post, and that your post-handling is apparently extremely simple and so unlikely to be throwing 403 errors or redirecting to forbidden directories, I'm going to hazard a guess that you're running an apache-level firewall. Have a look at your apache config files, and check to see if you're running mod_security or any other firewall module loaded. There are a number of ways mod_security can be configured, including scanning POST data for html content and reacting accordingly. If it is configured to prevent html injection, this may be your issue (see configuration details here: http://www.modsecurity.org/projects/modsecurity/apache/feature_content_injection.html).
To test this, try adding an htaccess file into your web root (assuming you're allowed to override apache settings with htaccess) and setting:
SecFilterEngine Off
Restart apache and then see if it's still happening.
If this is a shared host, or you otherwise don't have the ability to modify apache settings, you can try a workaround using javascript that base64 encodes all the data before submitting (onsubmit), and then base64_decode($_POST[key]) in the php script that processes it.
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
Use This Code I Think This Solved Your Problem
Just had the same sort of issue on submit showed 403 error but for me it was simple because the form was too big triggering a rule on mod_security.
Also worth increasing php.ini post_max_size and test size using: $_SERVER['CONTENT_LENGTH']
In my case, disabling MOD security in cPanel solved the issue for me.
<IfModule mod_security.c>
SecRuleEngine Off
SecRequestBodyAccess Off
</IfModule>
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
after add this on my htaccess file the problem solve.
Might be abit late, but I faced a similar problem today while trying to submit a form through POST. It would not allow me to submit a text with a link and would throw a 403 Forbidden Acess Denied error.
Disabling modsecurity (I did this from the control panel) solved it!
The issue is caused by the Apache Firewall mod, it can also be fixed via .htaccess file if you cannot or dont want to edit the httpd.conf.
Create or edit the existing .htaccess file in the directory where the script is called (usually where the index.php is) and add the following lines:
<IfModule mod_security.c>
#SecRuleEngine Off
SecRequestBodyAccess Off
</IfModule>
Related
Hello i have a problem... Suppose that i have a table whit two textBox and one button.. when i click the button i must read the value of a textBox and create a directory in a specific path and the directory must be named like the value that i read on the TextBox
I've tryed this code but it dosn't work :(
file = directory.php
<?php
$idCantiere = $_POST["idCantiere"];
$codiceCommessa = $_POST["codiceCommessa"];
echo("Registrazione avvenuta");
chdir("../inserimento");
opendir(".");
mkdir("../inserimento/prova/".$idCantiere);
?>
file prova.html
<table method="POST" action="directory.php">
<tr>
<td bgcolor="#B2E5FB">Cantiere</td>
<td colspan="11"> <input type="text" id="idCantiere"></td>
</tr>
<tr>
<td bgcolor="#B2E5FB">Codice Commessa</td>
<td colspan="11"> <input type="text" id="codiceCommessa"></td>
</tr>
<tr><td><button name="insAffidatario" type="submit" onclick="directory.php">Inserisci Affidatario</button></td></tr>
</table>
The problem with your code and it is a specific one; is that you used <table></table> for what should be a form, it should be <form></form>.
Then you used ID's instead of name attributes. You need to add name="idCantiere" and name="codiceCommessa" to their respective inputs.
You may also want to remove onclick="directory.php" here. The "action" already takes care of that.
Side note: Place your table inside the form and not outside. <form> cannot be made child of <table>.
Also make sure that the paths (and folders) correspond and that they are writeable with proper group/user permissions.
Error reporting will be of help also.
http://php.net/manual/en/function.error-reporting.php
and set to catch and display.
I know there are several threads about this topic but I couldn't find one to fit my needs.
I'm simply trying to sand an form asynchronous using the jQueryFormPlugin.
I've got this basic form in index.php
<form id="test_form" action="http://127.0.0.1/MwebCms/index.php?admin=1&p=navigation&add=1" method="POST">
<table>
<tr>
<td>Title</td>
<td><input type="text" name="title"></td>
</tr>
<tr>
<td></td>
<td><input type="submit" value="Speichern" name="submit"></td>
</tr>
</table>
</form>
Now after including Jquery and the Jquery form plugin I added this in my JavaScript file:
$(document).ready(function() {
$('#test_form').ajaxForm(function() {
alert("test");
});
});
Now that's all fine and dandy, but if I now check in index.php for:
echo $_POST["title"];
It will never be set.
What am I doing wrong or is my basic understanding of the jqueryFormPlugin completely wrong at all?
Source: http://malsup.com/jquery/form/#getting-started
I found the mistake I made:
The $_POST was sent alright, but it wasn't displayed. After changing the jquery to the following:
$(document).ready(function() {
$('form').ajaxForm(function(data) {
$("body").html(data);
});
});
It all worked properly.
I am experiencing some problem retrieving float numbers value with JavaScript from HTML by clicking on a button and then process them into a PHP file.
The HTML part is inside a table (maybe is usefull for extra info):
<table style="width:100%">
<tr>
<!-- some other <td> here -->
<td>
<img name="clickImage" style="position: relative; margin: auto;" src="myImage.png" onClick="fooFloat()">
</td>
<td>
<input id="toAngleH" maxlength="6" size="6" type="text" value="" style="background-color: #ffff;"/>
<br>
<input id="toAngleV" maxlength="6" size="6" type="text"value="" style="background-color: #ffff;"/>
</td>
</tr>
</table>
And my Javascript function fooFloat() is the following:
function fooFloat()
{
//doesn't work
var $angleH = parseFloat(document.getElementById("toAngleH").value);
var $angleV = parseFloat(document.getElementById("toAngleV").value);
//doesn't work
//var $angleH = $("#toAngleH").val();
//var $angleV = $("#toAngleV").val();
$("#content").load("file.php",{ toAngleH: angleH, toAngleV: angleV });
}
In the PHP file the values are retrieved as always with the
isset($_POST["string"])
function which works fine for integer numbers, but seems I cannot process the float values into the Javascript function.
I don't know where I am wrong.
Thank you in advance for your help.
EDIT:
I finally solved the problem. I was missing an apostrophe in the PHP file...
Bye.
In http post request the data is serialized/encoded to string and posted to server. Now it's server responsibility to parse these data correctly.
As far as Javascript is concerned you are retrieving it correctly . However i think you have a typo where you storing the value in $angleH but using angleH ($ omitted).
You may wish to check network headers through debugger network tab to see what data is posted to the server.
var val = document.getElementById("toAngleV").value//string value
Did you try passing the number as a string and parsing it on the server side? I'd imagine there is some kind of issue with the point or comma. You could maybe try replacing those characters before posting and then replacing then back on the server before type changing.
N00b alert; I know enough to be dangerous, so forgive my ignorance...I've been through all of the related questions here and elsewhere, but I just can't seem to comprehend the answer that's surely included in the responses :-(
I'm posting a record id to a page where I want a form to display with the contents of the related record. I'm getting the record in correctly (confirmed using the alert) with this script in the HEAD section (jquery 1.9 is called as well):
<script type="text/javascript">
function getSelectedCustomer () {
...use the id to get the right record...
databaseAPI.callback = function() {
if (databaseAPI.error) {
alert("Database Error: " + databaseAPI.error);
}
else {
var customerRecord = databaseAPI.result;
alert("Test Callback: " + new String(customerRecord.full_name));
$("#quoteForm").load(customerRecord);
}
return;
};
databaseAPI.ajaxGet();
}
window.onload = getSelectedCustomer;
</script>
...and the form in the BODY to be loaded:
<form method="post" id="quoteForm" action="process_quote.php">
<table>
<tbody>
<tr>
<td>Name</td>
<td><input type="text" value="<?php $customerRecord['full_name']; ?>" name="full_name"></td>
</tr>
...other bits of the form...
<tr>
<td>
<input type="submit" value="Submit">
</td>
</tr>
</tbody>
</table>
</form>
I know I'm incorrectly munging various things together. Can someone please get me straightened out on what to do?
Michael's answer solved the INPUT fields in the form. Didn't mention I had SELECT fields as well:
<select size="0" name="email_sent">
<option value="No">No</option>
<option value="Yes">Yes</option>
</select>
Changing INPUT to SELECT works.
What your missing is where code is being executed. The PHP code is being executed on the server, before being sent to the browser. The Javascript is then rendered by the browser. You can't pass variables back and forth between Javascript and PHP.
You want to inject the name with Javascript. I see you're already using jQuery, so the heavy lifting is already done for you. Remove the value="<?php $customerRecord['full_name']; ?>" from the PHP file, and replace $("#quoteForm").load(customerRecord); with $("#quoteForm input[name='full_name']").val(customerRecord.full_name);
Should work, might need some variation depending on your exact circumstances. At least it should put you down the right path.
Ajax-returned HTML includes a table and a submit button (type=button)
The table includes jQuery routine to clone table row (each row allows choosing/uploading one file, and has two values: <input type="text"> for doc title, and <input type="file">.
<table id="MyTable">
<tr name="tr3" id="tr3">
<td>
<input type="text" name="dt[]" id="dt1">
</td>
<td>
<input type="file" name="fff[]" id="ff1">
</td>
</tr>
</table>
<input type="button" name="sub1" id="sub1" value="Submit" onclick="checkform();">
Upon form submit, I must check that each doc title has been filled-in, so the submit button calls a javascript routine:
function checkform()
{
if(document.updateprojectdocs.dt[0].value=='')
{
alert("Fields marked with an asterisk are required.");
document.updateprojectdocs.dt[0].focus();
return;
}
document.getElementById("TheForm").submit();
}
Of course, this does not work (script dies before form submit -- but submits if I remove the preceeding if structure). Can anyone tell me why and how to fix?
Also, there will be an indeterminate number of dt[] fields to check. How could I structure a loop to do this? I suspect jQuery's .find().each() could be used, but not sure what that would look like?
UPDATES:
Thanks to DaHaKa's response below, I am closer to a solution. I mod'd DaHaKa's suggested code into jQuery.
I was having trouble communicating with DaHaKa - for some reason his responses were not appearing until long, long, long after he posted them (the problem was probably on my end). While I was waiting (hours), I posted part of the problem in another question and ended up resolving it there. That other question grew into the FULL CORRECT ANSWER, and I direct future viewers there. Note that user thecodeparadox created a working JSFiddle of the full solution.
I have awarded this question to DaHaKa as he was more than willing and able to assist, but comm problems intervened. Thanks again, D.
In this case jQuery each function isn't neccessary, you can do it simple like this =>
try
<table id="MyTable">
<tr name="tr3" id="tr3">
<td>
<input type="text" name="dt" id="dt1">
</td>
<td>
<input type="file" name="fff" id="ff1">
</td>
</tr>
</table>
<input type="button" name="sub1" id="sub1" value="Submit">
JavaScript
document.getElementById("sub1").onclick = function(){
if (document.getElementById("dt1").value!=""){
document.getElementById("TheForm").submit();
} else {
alert("Empty Field(s) !");
}
};
you should use ids in JavaScript from html tags , NOT NAME tags
And whats about you file input , you could understand it from your server side scripting language like php , with super global variables $_FILES['file']['error'] types