Jump to content

Interesting POST error

lukinagin

By lukinagin
in PHP Coding Help

 Share

Recommended Posts

lukinagin Newbie

lukinagin

Posted
Posted

One of our developers has brought an interesting problem to my attention.  I'll start off by describing our environment.  We are running a Solaris 10 server with Apache 2.2.6.  PHP version 5.2.5 is loaded as a module and appears to be working fine.  However, our developer ran into a problem using dokuwiki.  When he submits a form with a <html> tag in it, he receives a 400 error.  He threw together this little script to verify the problem:

 

<html>

<body>

<?php

echo sprintf("%s", $_POST['wikitext']);

?>

<br />

<form method="post" action="<?=$_SERVER['PHP_SELF']?>"

accept-charset="utf-8">

<textarea name="wikitext" style="height: 300px;" cols="80" rows="10"></textarea>

 

<input type="submit"/>

</form>

</body>

</html>

 

This can be viewed here:  http://eagles.its.csulb.edu/php/PostTest.php

 

As you can see, the script does nothing more than take what is submitted and display it on the screen.  However, if you type in <html> then click on the Submit Query button, you will get a 400 error.

 

Does anyone know why this is occurring?  Am I looking at some php.ini parameter change to fix this?

 

Link to comment
https://forums.phpfreaks.com/topic/85269-interesting-post-error/
Share on other sites
kenrbnsn Regular Member

kenrbnsn

Posted
Posted

You probably want to strip HTML tags from the input before displaying it. Use the striptags() function. You could also use the htmlentities() function to turn the characters "<" and ">" into "<" and ">" so the browser won't interpret the output as HTML.

 

In any case, you should never just display input from a user without cleaning it of possibly harmful stuff.

 

Ken

lukinagin Newbie

lukinagin

Posted
  • Author
Posted

Still no luck.  Removing the <html> tags from the code:

 

<body>

<?php

echo sprintf("<xmp>%s</xmp>", $_POST['wikitext']);

?>

<br />

<form method="post" action="<?=$_SERVER['PHP_SELF']?>"

accept-charset="utf-8">

<textarea name="wikitext" style="height: 300px;" cols="80" rows="10"></textarea>

 

<input type="submit"/>

</form>

</body>

 

Results in the same error when submitting <html>.  I then tried using the htmlentities function:

 

<html>

<body>

<?php

echo htmlentities(sprintf("<xmp>%s</xmp>", $_POST['wikitext']));

?>

<br />

<form method="post" action="<?=$_SERVER['PHP_SELF']?>"

accept-charset="utf-8">

<textarea name="wikitext" style="height: 300px;" cols="80" rows="10"></textarea>

 

<input type="submit"/>

</form>

</body>

</html>

 

Again, same error when I submit <html>.

 

To make things even more interesting, when I run this code against another server that is running PHP v4, it works.  Only the machine running PHP v5 generates the 400 error.

 

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.