0

I get an internal server error with the following code... any suggestions:

<form name="user" action="this.php" method="post">
<input type="text" name="description" id="description" value="" />

<input type="submit" name="" id="" value="Edit Page"  />    
</form>

There is no other code on the page, and it self submits fine UNLESS I place a MySQL query inside the text field, such as SELECT s FROM d WHERE 1=1

Then I get the following error:

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, webmaster@test.info and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

I do have some .htaccess rules going on, but I don't know how that would effect a query that doesn't do anything or go anywhere...

Community
  • 1
  • 1
kylex
  • 14,178
  • 33
  • 114
  • 175
  • How does the MySQL statement get put into the .php page? – wallyk Dec 30 '09 at 23:16
  • If I type in the SQL statement in the input box. I think it's a server config issue, but I don't know where to begin to look. – kylex Dec 30 '09 at 23:20
  • Unrelated (or only marginally related, if the mod_security guess is correct, as I suspect), but you need to `htmlspecialchars` your echoing of `PHP_SELF`, the same as any other string you write into HTML. Otherwise you risk breakages and cross-site-scripting errors (even when the annoying and ineffective mod_security is turned on). – bobince Dec 31 '09 at 01:10
  • @bobince - even when i remove PHP_SELF, and specify the page, the error still occurs. – kylex Dec 31 '09 at 14:32

4 Answers4

3

Seems to be rule of the evil mod_security. Are you on shared hosting? Generally you can disable all the module or specific rules via .htaccess file.

Yaakov Shoham
  • 10,182
  • 7
  • 37
  • 45
  • You were right, it was a mod_security issue. Just had to whitelist the files being affected. – kylex Dec 31 '09 at 15:05
0

The first place to look is your webserver log files.

The second place to look is How can I prevent SQL injection in PHP? as I'd guess you are just stuffing whatever the user hands you into the SQL server without any sanitizing.

Community
  • 1
  • 1
Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • I'm not submitting anything to the SQL server. That's the weird part. There's not even a connection to the SQL server in the script. – kylex Dec 31 '09 at 05:53
0

Before execute, dump the content of $_POST[];

var_dump($_POST);

In development enviorment, it's good to enable error displaying:

display_errors(1);

Or in php.ini:

display_errors = On;
erenon
  • 18,838
  • 2
  • 61
  • 93
-1

With the limited information provided, what it sounds like is that you are sending a malformed sql query somehow, and you aren't catching the error returned by the mysql server. You need to look at what you are sending, and handle mysql errors.

Bill
  • 2,623
  • 1
  • 27
  • 41
  • Nothing is going to a SQL server... at least not through the script. The code that I showed is all that is being sent. Nothing else exists in the script. – kylex Dec 31 '09 at 05:49