Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 12 of 12
  1. #1
    New to the CF scene
    Join Date
    Jan 2012
    Posts
    6
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Textarea POST PHP error if text contains "CD/"

    I have a HTML page with a textarea that uses POST to send the contents to a PHP page. The second page simply updates a MySQL database with the contents of the box (pretty standard). However the second page completely freezes and returns 404 if the text entered contains the letters "cd" in upper or lower case, followed by some or no whitespace and then a forward or back slash.

    Examples of text that can be included to cause error:
    • CD/
    • cd /
    • cD \
    • Cd /
    • cd\


    We noticed this when a user tried to write the sentence "CD/MP3 compatible" and it caused the error. I have attempted to Google this several ways but cannot find anyone experiencing even a similar problem(?) Help!

  • #2
    Supreme Master coder! abduraooft's Avatar
    Join Date
    Mar 2007
    Location
    N/A
    Posts
    14,853
    Thanks
    160
    Thanked 2,223 Times in 2,210 Posts
    Blog Entries
    1
    I have attempted to Google this several ways but cannot find anyone experiencing even a similar problem(?) Help!
    Please post your code.
    The Dream is not what you see in sleep; Dream is the thing which doesn't let you sleep. --(Dr. APJ. Abdul Kalam)

  • #3
    New to the CF scene
    Join Date
    Jan 2012
    Posts
    6
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Further information

    I have performed further testing of this error....
    It occurs if the input method is either an input box or a textarea.
    It occurs if the method is GET or POST.
    It occurs even if the handling page makes no attempt to access the parsed data.

    Basically, if you make any page with an input box and enter the text "CD/" and click submit. It will cause an error.

    Code:
    <form action="atest_edit_process.php" method="get">
    <input type="text" name="product_longdescription" value="CD/">
    <input type="submit"> <!-- Clicking this button will error unless the value of above text box is changed -->
    </form>
    What can I do to stop this? I really don't like the idea that any one of my users could accidentally type this sequence of letters and cause an error.

  • #4
    New to the CF scene
    Join Date
    Jan 2012
    Posts
    6
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Further further information

    I have tested this code on 5 servers and it is only occurring on some of them. The error is Error 501

    Method Not Implemented

    GET to /atest_edit_process.php not supported.
    Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.


    If you wish to see an example of the error please visit http://wwwwwww.cherry7studios.co.uk/atest_edit.php Notice that changing the value of the text box to anything else will not cause an error. But leaving it as CD/ will.

  • #5
    Regular Coder
    Join Date
    Jun 2010
    Posts
    293
    Thanks
    63
    Thanked 8 Times in 8 Posts
    The words "needle" and "haystack" spring to mind ... we can't diagnose the problem without knowing more about it.

    I suggest that (a) you put some trace in the code to find out where the error is occuring, (b) post the errant code and (c) post the values of any pertinent variables at the point of the error.

  • #6
    New to the CF scene
    Join Date
    Jan 2012
    Posts
    6
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by XmisterIS View Post
    The words "needle" and "haystack" spring to mind ... we can't diagnose the problem without knowing more about it.

    I suggest that (a) you put some trace in the code to find out where the error is occuring, (b) post the errant code and (c) post the values of any pertinent variables at the point of the error.
    a) The error is occurring after form submit. It doesn't appear to be getting to the next page. The only line of code in the page that "actions" the form is header("Location: atest_edit.php"); which sends it back to the same page. In my previous post I included a link to a working example. Enter "CD/" in the text box to see it error. Enter anything else or nothing at all to see it redirect successfully.
    b) I have posted the errant code
    c) There is only one variable parsed and that is the input box which is called "product_longdescription" and will have the value of whatever is inputted. If that variable contians the string "CD/" it will error. If it contains anything else it will not.

    I think I have given you all the information I can.

  • #7
    Regular Coder
    Join Date
    Jun 2010
    Posts
    293
    Thanks
    63
    Thanked 8 Times in 8 Posts
    Quote Originally Posted by Martin1001 View Post
    a) The error is occurring after form submit. It doesn't appear to be getting to the next page. The only line of code in the page that "actions" the form is header("Location: atest_edit.php"); which sends it back to the same page. In my previous post I included a link to a working example. Enter "CD/" in the text box to see it error. Enter anything else or nothing at all to see it redirect successfully.
    Can you post the part of the callback script that handles the GET vars? It would seem that the contents of the GET var is being treated as file path. How are your mod_rewrites set up in your .htaccess file?

  • #8
    New to the CF scene
    Join Date
    Jan 2012
    Posts
    6
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by XmisterIS View Post
    Can you post the part of the callback script that handles the GET vars? It would seem that the contents of the GET var is being treated as file path. How are your mod_rewrites set up in your .htaccess file?
    There is no code that references the GET var. The entire page code looks like this...

    Code:
    <?php  header("Location: atest_edit.php"); ?>
    Further to this. It does not matter what the next page has on it. The error is not with the next page. I changed it to a single line of plain text saying "Hello world" and it still behaves the same. Causing an error when you parse "CD/" but not causing error when you parse nothing or anything other than "CD/".

    My .htaccess file looks like this...

    Code:
    # Apache/PHP settings:
    
    # Force simple error message for requests for non-existent favicon.ico.
    <Files favicon.ico>
      # There is no end quote below, for compatibility with Apache 1.3.
      ErrorDocument 404 "The requested file favicon.ico was not found.
    </Files>
    
    # Various rewrite rules.
    <IfModule mod_rewrite.c>
    	RewriteEngine on
    	
    	RewriteCond %{HTTP_HOST} ^cherry7studios\.co.uk$ [NC]
    	RewriteRule ^(.*)$ http://wwwwwww.cherry7studios.co.uk/$1 [L,R=301]
    	
    	RewriteCond %{HTTP_HOST} ^www.cherry7studios\.co.uk$ [NC]
    	RewriteRule ^(.*)$ http://wwwwwww.cherry7studios.co.uk/$1 [L,R=301]
    	
    	# Rewrite URLs of the form 'x' to the form 'rewrite.php?q=x'.
    	# RewriteCond %{REQUEST_FILENAME} !-f
    	# RewriteCond %{REQUEST_FILENAME} !-d
    	# RewriteCond %{REQUEST_URI} !=/favicon.ico
    	# RewriteRule ^(.*)$ rewrite.php?q=$1 [L,QSA]
    </IfModule>
    Last edited by Martin1001; 01-04-2012 at 01:39 PM.

  • #9
    Regular Coder
    Join Date
    Jun 2010
    Posts
    293
    Thanks
    63
    Thanked 8 Times in 8 Posts
    I can't immediately see anything wrong with your .htaccess - perhaps someone who knows .htaccess better might spot something.

    Just another thought though - are you running on a Linux box? I ask because "cd /" will take you to the root dir, which, looking at the error is what the server has done. Perhaps you already know that?

  • #10
    New to the CF scene
    Join Date
    Jan 2012
    Posts
    6
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by XmisterIS View Post
    I can't immediately see anything wrong with your .htaccess - perhaps someone who knows .htaccess better might spot something.

    Just another thought though - are you running on a Linux box? I ask because "cd /" will take you to the root dir, which, looking at the error is what the server has done. Perhaps you already know that?
    Yes the server is Linux. So if this is the case then I need to ask my server guy WHY THE HELL command line commands are being executed within GET or POST values?! Is this not a huge security issue?

    Have you visited http://wwwwwww.cherry7studios.co.uk/atest_edit.php to see the error occurring? Try clicking submit with any text in the box (observe no errors) and then try it with "cd/" and watch the sky crumble and the earth shatter

  • #11
    Supreme Master coder! abduraooft's Avatar
    Join Date
    Mar 2007
    Location
    N/A
    Posts
    14,853
    Thanks
    160
    Thanked 2,223 Times in 2,210 Posts
    Blog Entries
    1
    What's there inside atest_edit_process.php file?
    The Dream is not what you see in sleep; Dream is the thing which doesn't let you sleep. --(Dr. APJ. Abdul Kalam)

  • #12
    Senior Coder
    Join Date
    Jul 2009
    Location
    South Yorkshire, England
    Posts
    2,318
    Thanks
    6
    Thanked 304 Times in 303 Posts
    Quote Originally Posted by Martin1001 View Post
    Yes the server is Linux. So if this is the case then I need to ask my server guy WHY THE HELL command line commands are being executed within GET or POST values?! Is this not a huge security issue?
    It could quite well be some security settings by an admin preventing things like that being passed via GET/POST params, to prevent some tool from coding an insecure script and actually directly executing supplied code. Debug correctly first. What differs between the systems where the code works and where it doesn't?


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •