I'm creating a form where the user should be able to enter any text (used to change articles on the site), Html, JavaScript or literally anything is allowed to type in and post, and so far everything worked. But today I suddenly got this strange error.
When I try to save text with Html to a MySQL database like this:
google
nothing goes wrong, but when I try it like this:
<img src="http://www.google.com/" />
The page does not load (forbidden error) and the database does not contain any of the text is should contain (the Html).
Instead the page shows the following error:
Forbidden
You do not have permission to access this document.
The same problem occurs when I try to post the following data:
src="http:
Why do I get a forbidden error when the post contains that specific piece of text, whats going on here?
Code I'm using:
if($_SERVER['REQUEST_METHOD']=="POST" && !empty($_POST['save'])){
$text = mysql_real_escape_string($_POST['textarea']);
$title = mysql_real_escape_string($_POST['title']);
$query = "INSERT INTO articles (text, title) VALUES ('".$text."','".$title."')";
When I remove the MySQL query I still get the error so it has nothing to do with the database. PHP safe mode is on, could that make a difference?
How can this be fixed?
Edit: Tried the complete application on my xampp server and it did not show the error, but on my hosting server I use the script in a password protected map. could that be the problem? Anyway I'm going to contact my hosting company.
It sounds a bit like mod_security, switched on and in its most aggressive mode, and it thinks you're trying to hack the site. The reason I say it only sounds a bit like that is because no-one should normally configure it to check POST data because that causes far too many false positives. But check the error log(s) as it will probably be listed there if it's that. If so you'll need to turn it off in the hosting settings or nag your host to do it.
Also try a bare minimum script: <?php var_dump($GLOBALS); ?> to see if the data reaches PHP at all.
try:
if($_POST && !empty($_POST['save'])){
$text = mysql_real_escape_string(htmlentities($_POST['textarea']));
$title = mysql_real_escape_string(htmlentities($_POST['title']));
Send this into your db
<a href=www.google.com>Google</a>
or
When called from db
echo "http://".$row_TabelName['RowName'];
It should solve your issue.
if you wish to use the following
base64encode() and insert ,after read base64decode()
Related
Using PHP I need to get a list of company webex meetings and show them on web page
I tried the code on this page: https://developer.cisco.com/site/webex-developer/develop-test/xml-api/sample-code/
But that failed.
<serv:header>
<serv:response>
<serv:result>FAILURE</serv:result>
<serv:reason>Failed to get SiteUrl</serv:reason>
<serv:gsbStatus>PRIMARY</serv:gsbStatus>
<serv:exceptionID>010000</serv:exceptionID>
</serv:response>
</serv:header>
<serv:body>
Error message was that it could not find the SiteURL. The siteurl I was using is companyname.webex.com - when I put that url into browser, it goes to our webex page, so it seems to be correct.
I found this: http://joshuamcginnis.com/webex/ and tried it (using real credentials), but it gives a 500 error and I have no access to logs.
Both of these examples are very old and I am struggling to find up-to-date examples.
If I put https://company.webex.com/WBXService/XMLService into browser, I get a success message
Can anyone suggest how to do this in either PHP or javascript
According to the PHP example in the link, you must be using something like:
<securityContext>
<webExID>YourCiscoUsername#example.com</webExID>
<password>YourCiscoPassword</password>
<siteID>243585</siteID>
<partnerID>g0webx!</partnerID>
</securityContext>
Try using the "siteName" instead of "siteID", like the following:
<securityContext>
<webExID>YourCiscoUsername#example.com</webExID>
<password>YourCiscoPassword</password>
<siteName>go</siteName>
<partnerID>g0webx!</partnerID>
</securityContext>
You can use siteID or siteName indistinctly, but looks like that siteID isn't working for that demo site right now. Their Java and .Net examples are using siteName.
Now, you have to use "go" in siteName if you are making the request to https://go.webex.com/WBXService/XMLService
But you must use "apidemoeu" if you are making the request to
https://apidemoeu.webex.com/WBXService/XMLService
They both appear to be demo sites.
And effectively "Failed to get SiteUrl" is the error returned if the value passed in either siteName or siteID doesn't correspond to an existing site.
I am using simple_html_dom script to gather certain information from external pages.
The script I have been using worked pretty well until today. I tried to look for where the error came from and it seems the file_get_html function is not working anymore, only on certain URLs.
The basic code I am using is:
<?php include_once('../simple_html_dom.php');
echo file_get_html('http://www.hltv.org/match/2295100-')->plaintext; ?>
When executing this, I have a blank page on my OVH shared server. It seems the page returns a 503 error, even if the page actually exists. I am able to extract the content of the page from other servers (like AWS) however. What troubles me is that it's been working for 4 months now without any issue.
I made sure the MAX_FILE_SIZE of the simple_html_dom was increased but could not find any solution to this.
Any idea to solve the issue?
Thanks!
Try this:
<?php
include_once('../simple_html_dom.php');
$result = file_get_html('http://www.hltv.org/match/2295100-');
echo $result->plaintext;
?>
I dont know how to explain my need, and neither which key words to use to find a solution on google, so i'll give an url to be more clear:
check an IP (click on: Check your current IP address)
I'ld like, by using this website for example, getting somes informations after all the processus are terminated.
I tried with "file_get_contents" and with "cURL functions" but i did not find a way to do it, i always get the original source code.
Any idea ?
EDIT:
<body onLoad="setTimeout('get_my_blacklist()', 60000)">
...
...
<?php
echo '<iframe id="my_iframe" src="http://multirbl.valli.org/lookup/'.$ip.'.html">';
?>
...
...
<script>
function get_my_blacklist()
{
//function to get the content after somes secondes.
}
</script>
Here is the new code i tried thank to #Ludovic for is iframe idea.
Still working on it, i'll tell you if its working or not to solve my issue.
Edit2: Whatever how i try, i didnt find a way to get the containt of my frame window.. And even if i'ld succeed, i dont know how i can update my database if do it with JQuery/Javascript
First the page should have been construct by server script like PHP, at this step you have all IP requested then the page is modified by JQuery script who seems to query each IP.
The second step is an asynchronous script so you can't know when the page is effectively finished to construct.
I'm trying to get a page from github to be read and executed with PHP upon page load due to it updating often, although while I've managed to format the page to what should be correct, it still doesn't seem to work.
Basically, I've used the file_get_contents to grab all of the information on the page (if I get this working it should potentially work with any page), removed all comments, and now I just need the code to run.
I've heard eval is unsafe, but it's only a personal website and I trust the github page isn't going to use malicious code, but I'm getting a "syntax error, unexpected T_CONSTANT_ENCAPSED_STRING", when the page runs, despite the fact I haven't touched the code and it runs fine if copied and pasted.
Here is the code I've used to remove the comments, I can't see any problem on or around line 391 where it says the error is, http://www.compileonline.com/execute_php_online.php works if you copy and paste it in
#get page data, remove intro comment (unefficient but can be rewritten once working)
$browsercoderaw = explode("*/",file_get_contents("https://raw.githubusercontent.com/cbschuld/Browser.php/master/lib/Browser.php"));
for($i==1;$i<count($browsercoderaw);$i++){
if($i>1){$browsercodejoined.=" */";} # replace */ for other comments so they can be removed later
$browsercodejoined.=$browsercoderaw[$i];}
$browsercode = nl2br(str_replace("?>","",$browsercodejoined));
#remove all /* comments
$commentremove = explode("/*",$browsercode);
$browsercode2 = $commentremove[0];
for($j==1;$j<count($commentremove);$j++){
$commentsplit = explode("*/",$commentremove[$j]);
$browsercode2.=$commentsplit[1];
}
#remove all // comments
$commentremove2 = explode("<br />",$browsercode2);
$browsercode3 = $commentremove2[0];
$linenum = 0;
for($k==1;$k<count($commentremove2);$k++){
$commentsplit = explode("//",$commentremove2[$k]);
if(strlen(trim($commentsplit[0]))>0){
$browsercode3.=$commentsplit[0];
$browsercodereadable.=$linenum.". ".$commentsplit[0]."<br>";
$linenum++;
}
}
echo $browsercodereadable;
eval($browsercode3);
?>
Also, if there is a better way of doing this please say so, I tried include but the webhost doesn't allow fetching urls from other domains. To be fair, I'm not entirely sure if it's the correct use of eval, but it sounds like it should potentially work.
I'm coding an website which must have same functionality as SO. My server use Litespeed, which increase the speed of runing php files.
When I'm trying to send php code in regular form, everything seems to be ok, data being sent to the action file without interpreting the code inside the variable. But when I'm trying to send the same data in comments textareas, with jQuery $.post method, I'm getting Forbidden 403 error. Data is blocked on the road by Litespeed server. I don't know why is happening this, why is $_POST data auto-evaluated when using ajax?
This situation doesn't appear everytime, but just in some cases, for example:
this is a new message which presents this php code: <?php mysql_query("SELECT * FROM my_table"); ?>
Note that if I remove <?php and ?> from my message, it is ok. I've already tried to use encodeURI() method but this don't change anything.
Is there any setting which must be applied in .htaccess for not auto-evaluate $_POST data?
or I should replace the open and close tags, before sending the comment?
Later edit
This is how I managed to resolve this right now, but I'm still waiting for a suggestion with .htaccess:
$but.prev('textarea').val().replace(/(<\?php)/gi,'-?php ').replace(/(<\?)/gi,'-? ').replace(/\?>/gi,' ?-');
and on the server side
str_replace(array('-?php','?-','-?'), array('`<?php','?>`','`<?'), $_POST['comment']);