Jump to content

[SOLVED] [http 403 error] - can someone check my php?

LuckY07

By LuckY07
in PHP Coding Help

 Share

Recommended Posts

LuckY07 Newbie

LuckY07

Posted
Posted

Hi,

 

I am trying to use this premade php form that allows users to leave comments at my site. Currently I am using a WAMP on a localhost

with a 'root' user to access MySQL. All configs are default, and i know the php and MySQL work since I have tested each and when i do phpinfo() i can see 'MySQL'. The form php/html code I got from http://www.tutorialized.com/view/tutorial/Shoutbox/3026 . When I enter all the info in the body and run my 'shoutbox.php' locally with a root user and my PW I get an 'HTTP 403 error', saying the page can't be displayed because it requires a login. Can someone check my code and point me in the direction to look for this problem, i would really appreciate it, tks.

 

Here is my code:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> 
<html xmlns="http://www.w3.org/1999/xhtml">
<head> 
	<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
	<title>Shoutbox</title>
	</head>

	<body>
		<?
		//the host, name, and password for your mysql
      mysql_connect("localhost","username","password");
      //select the database
      mysql_select_db("news");
      
      if($submit){
      //use the PHP date function for the time
      $time=date("h:ia d/j/y");
      // inserting it into the shoutbox table which we made in the mysql statements before
      $result=MYSQL_QUERY("INSERT INTO shoutbox (id,name,message,time)".
      "VALUES ('NULL','$name', '$message','$time')");
      }
      ?>
      
      <?
      //returning the last 5 messages
      $result = mysql_query("select * from shoutbox order by id desc limit 5");

      //the while loop
      while($r=mysql_fetch_array($result)){		
      //getting each variable from the table
      $time=$r["time"]; 
      $id=$r["id"];
      $message=$r["message"];
      $name=$r["name"];
      ?>
      <? echo $time ?><br>
      <? echo $name ?><br>
      <? echo $message ?><br>
      <? } ?>
      
      <form action="<? echo $php_self ?>" method="post">
      <INPUT TYPE='TEXT' value='name' NAME='name' SIZE=30 maxlength='100'><br>
      <INPUT TYPE='TEXT' value='message' NAME='message' SIZE=30 maxlength='100'>
      <input type="submit" name="submit" value="submit">
      </form>

	</body>
</html>

 

I can see the form fine, when i hit 'submit' i get taken to a new page with the error.

Link to comment
Share on other sites
wildteen88 Regular Member

wildteen88

Posted
Posted

Where is shoutbox.php stored? If you have wamp installed then it should be C:/wamp/www I believe.

 

Also I noticed the script replies on register_globals. register_globals was disabled by default as of PHP4.2 and is now depreciated. Consider finding a more up to data tutorial, however the code is still workable just needs a few variable names to be changes to the $_POST superglobal.

 

Another thing I noticed is it uses short tags (<? ?>). Short tags is not enabled by default when PHP is installed. Instead convert <? to <?php

Link to comment
Share on other sites
LuckY07 Newbie

LuckY07

Posted
  • Author
Posted

I really appreciate you looking at this. I was thinking about making the following changes:

"VALUES ('NULL','$name', '$message','$time')");

to:

"VALUES ('NULL',$_POST['name'],$_POST['message'],$_POST['time'])");

is that all I need to do?

 

also changed the short tags to proper <?php tags.

 

I have been running php scripts in a folder on my c:\mywebsite folder, which is what i set my php directory to. do

i need to change the MySQL directory as well?

Link to comment
Share on other sites
wildteen88 Regular Member

wildteen88

Posted
Posted

Yes those where the changes that needed to made. However with regarding the following

I really appreciate you looking at this. I was thinking about making the following changes:

"VALUES ('NULL','$name', '$message','$time')");

to:

"VALUES ('NULL',$_POST['name'],$_POST['message'],$_POST['time'])");

That is ok for personal use however not for production use. It is not recommended to place raw user data ($_POST, $_GET, $_COOKIE, etc.) directly into a query as your query will be prone to SQL injection attacks, which can be used to hack your site, or even worse completely erase your database.

 

In order to protect yourself from SQL injection attacks I'd recommend you to use the built in mysql_real_escape_string function. This will help to protect you from such attacks. So instead of doing:

"VALUES ('NULL',$_POST['name'],$_POST['message'],$_POST['time'])");

Do:

$name = mysql_real_escape_string($_POST['name']);
$message= mysql_real_escape_string($_POST['message']);
"VALUES ('NULL', '$name', $message, $time)");

You do not have run mysql_real_escape_string on all fields only those which store strings. If a fields only needs a number then validate with is_numeric to see if the data only contains numbers.

 

Corrected Code:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
	<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
	<title>Shoutbox</title>
	</head>

	<body>
<?php
//the host, name, and password for your mysql
mysql_connect("localhost","username","password");
//select the database
mysql_select_db("news");

if(isset($_POST['submit']))
{
    //use the PHP date function for the time
    $time = date("h:ia d/j/y");

    /* protect ourselves from SQL Injection */
    $name   = mysql_real_escape_string($_POST['name']);
    $message= mysql_real_escape_string($_POST['message']);

    // inserting it into the shoutbox table which we made in the mysql statements before
    mysql_query("INSERT INTO shoutbox (id, name, message, time) VALUES ('NULL','$name', '$message','$time')");
}

//returning the last 5 messages
$result = mysql_query("select * from shoutbox order by id desc limit 5");

//the while loop
while($r = mysql_fetch_array($result))
{
    //getting each variable from the table
    $time    = $r['time'];
    $id      = $r['id'];
    $message = $r['message'];
    $name    = $r['name'];

    echo $time . "<br>\n";
    echo $name  . "<br>\n";
    echo $message . "<hr>\n";
} ?>

      <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
      <INPUT TYPE='TEXT' value='name' NAME='name' SIZE=30 maxlength='100'><br>
      <INPUT TYPE='TEXT' value='message' NAME='message' SIZE=30 maxlength='100'>
      <input type="submit" name="submit" value="submit">
      </form>

    </body>
</html>

If you still get the 403 error message then check WAMP's configuration. Make sure you are running your script from http://localhost and not directly loading it into a web browser from c:\mywebsite

Link to comment
Share on other sites
LuckY07 Newbie

LuckY07

Posted
  • Author
Posted

thank you very much. that worked like a charm. i'm not sure what exactly what was preventing it from using the MySQL db, but

my guess is one of the following changes you made:

$_SERVER['PHP_SELF']

instead of:

<?php echo $php_self ?>

or, I was thinking it was the IF-statement change:

if($submit){

to:

if(isset($_POST['submit']))

also, i wonder if encasing the entire script inside 1 php <?php ?> script helped.

 

thanks again. i will tweak this code a lot before it goes live ;)

 

 

Link to comment
Share on other sites
LuckY07 Newbie

LuckY07

Posted
  • Author
Posted

i think i figured out what was preventing the SQL query to work. i played around with the settings u gave me and figured out the

sole culprit was how i was referencing the '$_POST' command inside a query, which i don't think you can do.

 

when i declared the variables before placing them in the query it worked!

 

so basically the fix you taught me was you cant use a superglobal variable inside a query as i tried here:

$result=MYSQL_QUERY("INSERT INTO shoutbox (id,name,message,time) ".
"VALUES ('NULL', $_POST['name'], $_POST['message'], '$time')");

the fix was changing the above to:

$name = mysql_real_escape_string($_POST['name']);
$message= mysql_real_escape_string($_POST['message']);

// inserting it into the shoutbox table which we made in the mysql statements before
mysql_query("INSERT INTO shoutbox (id, name, message, time) VALUES ('NULL','$name', '$message','$time')");

 

thanks again wild ;)

Link to comment
Share on other sites
wildteen88 Regular Member

wildteen88

Posted
Posted

so basically the fix you taught me was you cant use a superglobal variable inside a query as i tried here:

$result=MYSQL_QUERY("INSERT INTO shoutbox (id,name,message,time) ".
"VALUES ('NULL', $_POST['name'], $_POST['message'], '$time')");

You can use superglobal variables with in query if you wish (or any other string), however you have to wrap them in curly braces - {} if you use them inside double quotes. This is to do with how PHP parses arrays within quotes.

Link to comment
Share on other sites
wildteen88 Regular Member

wildteen88

Posted
Posted

redirect the user back to shoutbox.php when their post has been added to database. That way if the user hits the refresh button your web browser wont resend the POST data back to the page.

<?php
//the host, name, and password for your mysql
mysql_connect("localhost","username","password");
//select the database
mysql_select_db("news");

if(isset($_POST['submit']))
{
    //use the PHP date function for the time
    $time = date("h:ia d/j/y");

    /* protect ourselves from SQL Injection */
    $name    = mysql_real_escape_string($_POST['name']);
    $message = mysql_real_escape_string($_POST['message']);

    // inserting it into the shoutbox table which we made in the mysql statements before
    mysql_query("INSERT INTO shoutbox (id, name, message, time) VALUES ('NULL','$name', '$message','$time')");

    // redirect the user.
    header("Location: shoutbox.php");
}

?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
	<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
	<title>Shoutbox</title>
	</head>

	<body>
<?php
//returning the last 5 messages
$result = mysql_query("select * from shoutbox order by id desc limit 5");

//the while loop
while($r = mysql_fetch_array($result))
{
    //getting each variable from the table
    $time    = $r['time'];
    $id      = $r['id'];
    $message = $r['message'];
    $name    = $r['name'];

    echo $time . "<br>\n";
    echo $name  . "<br>\n";
    echo $message . "<hr>\n";
} ?>

      <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
      <INPUT TYPE='TEXT' value='name' NAME='name' SIZE=30 maxlength='100'><br>
      <INPUT TYPE='TEXT' value='message' NAME='message' SIZE=30 maxlength='100'>
      <input type="submit" name="submit" value="submit">
      </form>

    </body>
</html>

Notice I have moved the code block which adds the entry to the database before the html. This is because you cannot send any headers when there is any form of output. Output is considered anything outside of the php tags, or anything from echo/print/sprintf etc.

Link to comment
Share on other sites
LuckY07 Newbie

LuckY07

Posted
  • Author
Posted

i tried the updated script wild, but i get the following errors when i hit submit:

 

Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'username'@'localhost' (using password: YES) in C:\xxx\shoutbox.php on line 12

 

Warning: mysql_select_db() [function.mysql-select-db]: Access denied for user 'ODBC'@'localhost' (using password: NO) in C:\xxx\shoutbox.php on line 14

 

Warning: mysql_select_db() [function.mysql-select-db]: A link to the server could not be established in C:\xxx\shoutbox.php on line 14

 

Warning: mysql_query() [function.mysql-query]: Access denied for user 'ODBC'@'localhost' (using password: NO) in C:\xxx\shoutbox.php on line 27

 

Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in C:\xxx\shoutbox.php on line 27

 

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in C:\xxx\shoutbox.php on line 30

 

Link to comment
Share on other sites
wildteen88 Regular Member

wildteen88

Posted
Posted

Have you used your mysql username/password for the mysql_connect function. Looks like you havn't. If you have installed MySQL and havn't setup username/password already then use root as the username and nothing for the password instead, eg:

mysql_connect("localhost","root","");

 

You have to provide a valid username/password when connecting to mysql. Also ensure the mysql server is actually running too.

Link to comment
Share on other sites
LuckY07 Newbie

LuckY07

Posted
  • Author
Posted

I changed my program name when I copied your code.. to shoutboxPHP.php, I forgot to change the following line:

// redirect the user.
header("Location: shoutbox.php");

to:

// redirect the user.
header("Location: shoutboxPHP.php");

I got it to work. Thanks for all your help wildteen ;)

 

 

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.