1

I tried to update a record with some feedback it gives

Forbidden

You don't have permission to access /xxx/xxx/update.php on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

Mysql Query is:

mysql_query("UPDATE `table_name` SET `feedback`='".$_REQUEST['feedback']."' WHERE `cid` =xx");

The feedback is customer is having 6 windows and 3 patio doors. When I remove having, and then only I'm able to submit because these are MYSQL reserved words. Changed file permissions, but nothing works.

And the .htaccess contains 

RewriteEngine On
RewriteCond %{HTTP_HOST} ^domainname\.com$ [NC]
RewriteRule ^(.*)$ http://www.domainname.com/$1 [R=301,L]
#AddType application/x-httpd-php4 .php .htm .html

# Hide images, css and js
Options -Indexes

ErrorDocument 404 http://www.domainname.com/404.html

How to solve this problem?

Raj.A
  • 51
  • 1
  • 8
  • It does. It's the same page that I update. I removed 'having', 'and' now I'm able to submit. – Raj.A Oct 27 '14 at 09:39
  • If it was a MYSQL error you would see it using `mysql_error` with a proper error message, why don't you check that? Also does your feedback have a `'` along anywhere, if it does that's why it doesn't work. Besides that there is the SQL Injection you're wide open to. – Prix Oct 27 '14 at 09:39
  • Feedback doesn't contain any `'`. When I click submit, Forbidden error displayed. So, I'm unable to check the `mysql_error` also. – Raj.A Oct 27 '14 at 10:23
  • The error is obvious, the file you're trying to access does not exist. So make sure the path is correct. – rjdown Oct 27 '14 at 11:06
  • I'm able to update without `having`, `and`, So the file path is correct only. – Raj.A Oct 27 '14 at 11:28
  • @Raj.A do you have any php `header` near the query to redirect to some other page or rather post the code that is near your UPDATE query? If you do, comment that line to see if the error displays. – Prix Oct 27 '14 at 15:42
  • I don not have any `redirection` there. Even though I removed the `PHP` script it displays the same error. After submitting, I could even echo a word. So, unable to find what is the exact problem. – Raj.A Oct 28 '14 at 05:43

1 Answers1

0

This is caused because the value in $_REQUEST['feedback'] contains MySQL keywords that is not escaped correctly.

The following answer should fix your problem, although I would advise against passing data straight from the request and opening application to SQL injects. 

$query = sprintf("UPDATE `table_name` SET `feedback`='%s' WHERE `cid` ='xx'",
        mysql_real_escape_string($_REQUEST['feedback']));
mysql_query($query);

While the above code should fix your problem at hand, please read this stackoverflow question as to why you should move away from using traditional mysql_ functions and start using PDO methods and prepared statements

Community
  • 1
  • 1
dnshio
  • 914
  • 1
  • 8
  • 21
  • Tried this but still get the same result. Also, stored in a variation and passed to the query. – Raj.A Oct 27 '14 at 09:49
  • Please try again, I've edited the query so that xx are in single quotes. I think the reason for your issues is that the MySQL query fails and your application's error handler is non existent - which causes the 404. – dnshio Oct 27 '14 at 09:53
  • Doesn't work.! Actually, the `xx` is an integer, so can't use single quotes. If it's in this case, it should not update anything but, it does. Also, before executing the query it stops and displays the forbidden error when I use `having`, `and` in feedback textarea box.! – Raj.A Oct 27 '14 at 10:31
  • Right.. Well, I think would be able to better debug if you are able to actually view the exact error. Please correct your `ErrorDocument` configuration in apache configs (.htaccess file). I suggest removing the the `ErrorDocument` directive while in development – dnshio Oct 27 '14 at 10:42
  • The root problem is a mysql error (OP stated that his script works when the query does not contain MySQL keywords). When the error occurs, the webserver tries to display a error page using Apache's ErrorDocument but the webserver configuration points to a error handler file that does not exist - causing a 404. So, he should both fix the apache configuration (most probably in .htaccess file) and also the root php/mysql problem. – dnshio Oct 27 '14 at 11:55
  • I've a `404` error page and also `error_log`. But I get nothing in `error_log`. For other errors I'm able to get it in the log file. – Raj.A Oct 28 '14 at 05:47
  • Can you please give us the content of your .htaccess file? or the directive configurations in your vhosts file for the dir in question? – dnshio Oct 28 '14 at 09:21
  • `RewriteEngine On RewriteCond %{HTTP_HOST} ^domain\.com$ [NC] RewriteRule ^(.*)$ http://www.domain.com/$1 [R=301,L] #AddType application/x-httpd-php4 .php .htm .html # Hide images, css and js Options -Indexes ErrorDocument 404 http://www.domain.com/404.html` This is the content of my `.htaccess` file – Raj.A Oct 28 '14 at 11:30
  • This looks like a boilerplate .htaccess file with all the example values still present. Try renaming it to backup.htaccess for now so that you can see the actual error thrown by php. – dnshio Oct 28 '14 at 14:42
  • Yes, renamed and checked again. The page is not redirected (URL remains the same `update.php`) and displays the forbidden error in a blank page and nothing else is there. – Raj.A Oct 29 '14 at 05:04