We Keep Coding

Why can some text not be sent via the form?

Sending the following form ends with a single character # shown in the MS Edge browser(Microsoft Edge 42.17134.1.0, Microsoft EdgeHTML 17.17134) and we can expect the final result should be OK!. The expected result is shown in other popular browsers. Wrapping the form with the correct HTML5 skeleton with Doctype etc. does not help. Why can some particular text not be sent via the form? Well, to be strict it can as long as I do not touch $_POST or I do not want to include this meta tag on my webpage where the form is sent. I can access the post data via php://input and everything is there in a raw but this is not a solution.
The issue was found in my own content management framework where some tags(including meta tags) are sent via the form to the PHP script.
<?php
if(isset($_POST['test'])){
echo "OK!";
} else{
echo '
<form action="/" name="template" method="post" accept-charset="UTF-8">
<textarea name="test"><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /></textarea>
<input type="submit" />
</form>
';
}
?>
Naturally, the source code is saved with UTF-8 as well. Please, drag me away from this path in case I am doing something prohibited or potentially wrong. Eventually, I want to send the complete HTML head section via POST method.
Here are my questions:
Why text including <meta charset="UTF-8" /> cannot be properly sent using post method? Here, there is no question about the processing of the data via PHP script.
Is there any reason to search for the issue not in the source code but in web server installation? But, if yes why then it works with other browsers?
Can the HTTP requests be for some reason significantly different what might cause the described issue?
From where comes # can it be from the web server or the edge browser?
I am using XAMPP 7.2.4 on Windows 10.

Not everything should be allowed to send with the form by a user, but any tag is not a reason to be refused by a browser or httpd server.
The web server could reject some request, especially along the loaded mod_rewrite module with not a proper configuration,
...but what is the point of writing the # instead of an error message.
The main fear is that the HTTP requests might be different, maybe some mechanism against XSS incidentally will catch something? But as the life shown the issue here was somehow connected to cache, default content language and saved cookies.
The original issue from the question is related only to XAMPP <=> MS Edge and it has nothing to do with PHP scripts or UTF-8 encoding. It is established in the community that the meta tag with charset should be used as a safety mechanism, but what is not to be expected is that this meta tag might potentially have the influence on showing the website's content or just #. It should be strongly stressed that a similar issue is not appearing with other tags. The simplest case in which the scenario could be repeated is with the GET method by sending form data even to the HTML file.
http://127.0.0.1/?data=%3Cmeta+http-equiv%3D%22%22+%2F%3E
The other decent installations of Apache server have no such issues(I have tried apachelounge on Windows and Apache installations on different linux distributions). Therefore, I claim that reproducing the issue might be difficult and potentially can be the installation specific.
The simplest solution is to use a different version of XAMPP or other implementation of the httpd server.
For those, curious as I am, still, it is not explained why the XAMPP server has the issue with requests only from MS Edge. The typical HTTP request
GET /?data=%3Cmeta+http-equiv%3D%22%22+%2F%3E HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
seems not to has any unconventional stuff. There is an obvious User-Agent difference with MS Edge
GET /?data=%3Cmeta+http-equiv%3D%22%22+%2F%3E HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134
Accept-Language: pl-PL
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip, deflate
Host: 127.0.0.1
Connection: Keep-Alive
Cookie: PHPSESSID=*********
and the Cookie, and the Accept-Language: pl-PL only. To my surprise, it turned out that cleaning of the browser data solved my issue.

SQL Injection accept-language php

I'm working through a security assessment report on a php app generated by Accunetix.
The report is claiming a SQL Injection vulnerability. The app is PHP with MySQL. Here's the headers it says are making the attack (specifically the accept-language header):
GET /user_login.php HTTP/1.1
user-agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
accept-language: 1;select pg_sleep(1); --
X-Requested-With: XMLHttpRequest
Cookie: PHPSESSID=35kno6h8kmkbin973q02gojp82; uniqueuser=1382404387
Host: xxx.xxx.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
I haven't found "accept-language" or "accept_language" anywhere in the app. Also, pg_sleep() isn't a MySQL function.
I searched for a known vulnerability in PHP and didn't find anything. Is this a false positive, or am I missing something?

Accept-Language is the request header sent by client's browser.
Accunetix were trying to manipulate these headers by injecting malicious code to find security wholes (imitating hackers) to test if you application is vulnerable to them.
If you haven't used accept-language header, or request headers in your DB queries, then probably it is a false positive. To make sure, see the response of that request, if the response is normal, then it is all OK.

The code will probably treat that header as a source for selecting the language, an that is done via a database query. And when generating the query, the contents of the HTTP header are improperly parsed.
The reason for you not seeing this might be because the fetching of the HTTP headers is done indirectly (like in $_SERVER[$language_header]).

access denied to local intranet page for only 1 user

We have a PHP site hosted from an Apache server.
We have a .NET site hosted from a windows server.
Both are internal, and inside our domain.
When a user accesses the PHP site, it checks if your username has been sessioned. If not, it does an ajax GET postback to the .NET "GetUsername.aspx" page. The GetUsername.aspx page simply outputs Request.ServerVariables("LOGON_USER")
The .NET site requries windows authentication to be enabled in IE. All of our users use IE8.
In order for our PHP site to request data from the .NET site, a setting "Access data across domains" must be enabled... and it is.
In order for our .NET site to get your username, "Enable Integrated Windows Authentication" must be nabled... and it is.
Both the .NET site, and the PHP site are intranet sites. If you go to Internet Options -> Local Intranet -> Sites -> Advanced, both sites are in the list.
At this line: xmlhttp.open("GET","http://intranet.MySite.vmv/IS/GetUsername.aspx",false);
A javascript error occurrs with the message "Error: Access is denied."
If i type that same .NET page into the browser url... it loads just fine, and shows her username.
The confusing thing about all this, is that our policy updates (pushed out on every login) set all of these settings. I've verified all the above settings are the same on my browser as they are on this users. Both of us are within the same domain.
Any ideas of some other setting that could be causing this?
Thanks!
EDIT
here are the results from firebug... doesnt seem to be very helpful, just shows me what we already knew.
http://intranet.MyCompany.vmv/IS/GetUsername.aspx
401 Unauthorized
20ms
login (line 103)
HeadersResponseHTML
Response Headers
Content-Length 1656
Content-Type text/html
Date Mon, 09 Apr 2012 16:15:33 GMT
Server Microsoft-IIS/6.0
WWW-Authenticate Negotiate NTLM
X-Powered-By ASP.NET
Request Headers
Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding gzip, deflate
Accept-Language en-us,en;q=0.5
Connection keep-alive
Host intranet.MyCompany.vmv
Origin http://192.168.1.2:10078
Referer http://192.168.1.2:10078/login
User-Agent Mozilla/5.0 (Windows NT 5.1; rv:8.0.1) Gecko/20100101 Firefox/8.0.1

Well... the issue appears to be with IE7. Somehow this user's version was not upgraded with everyone else. Once we upgraded her to IE8 it worked as expected.

Display HTTP Response on Webpage using PHP

I am looking to put together a website that displays the full HTTP Request Headers and HTTP Response Headers for the loading of the page itself. For instance. If someone browses to http://example.com/index.php , I want the following to display:
HTTP Request
GET /index.php HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
HTTP Response
HTTP/1.1 200 OK
Date: Mon, 21 Dec 2011 10:20:46 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
Content-Length: 1169
Connection: close
Content-Type: text/html; charset=UTF-8
We were able to get the Request header to display fairly simply using the following PHP code:
print $_SERVER['REQUEST_METHOD']." ".$_SERVER['REQUEST_URI']." ".$_SERVER['SERVER_PROTOCOL']."<br>";
foreach (apache_request_headers() as $name => $value)
echo "$name: $value<br>";
But are having some difficulties with the HTTP Response header. Anyone have any ideas of how we can do this? It does not have to be PHP if you have a method that works in Perle or CGI or whatever.
To be clear, I don't mean to set the HTTP Response to anything specific, only display the response served by the web server to load the page.

You want to use headers_list()
http://www.php.net/manual/en/function.headers-list.php
headers_list() will return a list of headers to be sent to the browser / client. To determine whether or not these headers have been sent yet, use headers_sent().

Well here is the issue, the response header is generated after the PHP (or any server-side language for that matter) has already completed its job.
To put it in english its like the post man handing you a letter and you asking him to explain how the process of handing you the letter went. He will probably just look at you dumb.
You will need a client-side language (ie. JavaScript) to perform this task.

Use PHP to get the headers sent to the web Server.
http://www.php.net/manual/en/function.apache-request-headers.php
Use JavaScript to get headers sent by the web server. I would suggest using jQuery for that.
http://api.jquery.com/jQuery.ajax/#jqXHR
This way you are sure that you get all the headers which are either received by the web server or the browser.

Check out get_headers in PHP Manual

Can a cURL based HTTP request imitate a browser based request completely?

This is a two part question.
Q1: Can cURL based request 100% imitate a browser based request?
Q2: If yes, what all options should be set. If not what extra does the browser do that cannot bee imitated by cURL?
I have a website and I see thousands of request being made from a single IP in a very short time. These requests harvest all my data. When looked at the log to identify the agent used, it looks like a request from browser. So was curious to know if its a bot and not a user.
Thanks in advance

This page has all the answers to your questions. You can imitate the things mostly.

R1 : I suppose, if you set all the correct headers, that, yes, a curl-based request can imitate a browser-based one : after all, both send an HTTP request, which is just a couple of lines of text following a specific convention (namely, the HTTP RFC)
R2 : The best way to answer that question is to take a look at what your browser is sending ; with Firefox, for instance, you can use either Firebug or LiveHTTPHeaders to get that.
For instance, to get this page, Firefox sent those request headers :
GET /questions/1926876/can-a-curl-based-http-request-imitate-a-browser-based-request-completely HTTP/1.1
Host: stackoverflow.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2b4) Gecko/20091124 Firefox/3.6b4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://stackoverflow.com/questions/1926876/can-a-curl-based-http-request-imitate-a-browser-based-request-completely/1926889
Cookie: .......
Cache-Control: max-age=0
(I Just removed a couple of informations -- but you get the idea ;-) )
Using curl, you can work with curl_setopt to set the HTTP headers ; here, you'd probably have to use a combination of CURLOPT_HTTPHEADER, CURLOPT_COOKIE, CURLOPT_USERAGENT, ...