"You don't have permission to access /news.php on this server." But only sometimes

Question

There is an identical question to this issue from October, but it's unanswered. I'm not sure what the protocol is for that.

I'm working on a site purely for fun and to learn some PHP. This includes a form to post "news". Most of the time it goes through fine, but sometimes it arbitrarily doesn't and I'm given the 403 error

You don't have permission to access /news.php on this server.

Searching this scenario results in a lot of people talking about something called mod_sec, which I have no idea how to deal with if the web host I'm with uses it.

Below is all the code involved, but since it usually functions perfectly it may not help. The valid username and password don't include any of the characters altered by the function.

Edit: The error occurs when hitting the form submit button. Upon accidental investigation it happens before even reaching the database connection attempt and so does have absolutely nothing to do with the PHP code.

All of the included code is located on the same page (wasn't originally, but I moved it to eliminate that angle)

This is taking place online with an actual web host, so local file conflicts and antivirus etc. aren't to blame.

The site error log merely complains about a lack of 403 or 404 page, the access log just says this:

[24/Jan/2016:05:04:56 -0500] "POST /news.php HTTP/1.1" 404 - [URL] "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"

PHP:

function sanitiseText($text)
{
    $output = nl2br($text);
    $output = str_replace("'", "’", $output);
    $output = str_replace("<", "&lt;", $output);
    $output = str_replace(">", "&gt;", $output);
    $output = str_replace('"', '&quot;', $output);
    return $output;
}

$a_un = sanitiseText($_POST['un']);
$a_pw = sanitiseText($_POST['pw']);

$mysql_admin = new mysqli(DB_SERVER, $a_un, $a_pw, B_NAME) or 
    die("Could not access the database");


    if($_POST['postNews'])
    {   
        $newsTitle = sanitiseText($_POST['newsTitle']);

        $newsPost = sanitiseText($_POST['newsPost']);

        $query = "SELECT * FROM news ORDER BY postID DESC";

        $result = $mysql_admin->query($query);
        $info = $result->fetch_assoc();
        $pID = $info['postID'] + 1;

        $query = "INSERT INTO news(postID, title, post, posted) VALUES ('$pID', '$newsTitle', '$newsPost', NOW())";

        $mysql_admin->query($query);

        header("Location:/");
    }

HTML:

<form enctype='multipart/form-data' method='post' action='' name='newsform'>

Username: <input type="text" name="un" size="12" value=""/><br>
Password: <input type="password" name="pw" size="12" value=""/><br><br>

Title: <input type="text" name="newsTitle" size="40" value=""/><br><br>

Post:<br><textarea name="newsPost" cols="45" rows="5"></textarea><br><br>

<input type='submit' value='Make News Post' name='postNews'/>

Answer 1

Trial and error:

• Set the proper (full) page URL into the form action field. Part-done

• Show any details from your .htaccess file or similar permissions settings. None.

• Do you use any SymLinks on your filespace? No.

• I found no character encoding in your page, news.php so suggest you add character encoding to the headers and to the form with accept-charset="utf-8" inside your <form> tag.

• Just incase this is a parse error with PHP add a PHP error logging add

  ini_set('display_errors', 1); ini_set('display_startup_errors', 1); error_reporting(E_ALL);

to the top of the news.php page.

---

Recoding your HTML. I think a possible cause is that the server is getting confused by the poor quality of the HTML page, so here is a fix up of the page, (partly that and the fact I find it hard not to fix these sort of things!). Please copy/paste this as the HTML for news.php and then see how often the 403 error occurs.

It is worth noting that you do not have a 404 error, the 404 is caused by the 403 looking for a corresponding error page to display to the browser, and as you have none, there is a 404 file not found. The 404 is not important.

Code (upgraded to HTML5):

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>News Page - Scissle</title>
<link href="sheet.css" rel="stylesheet" media="screen" type="text/css" /></head>
<body>
<div id="border">
</div>
<div id="content">
<center> <!-- Do not use <center> tags, use CSS-->
    <form enctype='multipart/form-data' method='post' action='http://scissle.com/news.php' name='newsform' accept-charset="utf-8">

    Username: <input type="text" name="un" size="12" value="" /><br>
    Password: <input type="password" name="pw" size="12" value="" /><br><br>

    Title: <input type="text" name="newsTitle" size="40" value="" /><br><br>

    Post:<br><textarea name="newsPost" cols="45" rows="5"></textarea><br><br>

    <input type='submit' value='Make News Post' name='postNews' />
</form>
<br>
<hr>
<table class="book"><tr class="heading"><td>Some points:

1) Encase CSS classes in quotes.
2) Remember to close html / body/head tags
3) Try to avoid blank spaces/ empty lines at the start or end of the HTML file.
4) remember to close your Form tags too.
</td></tr></table></center>
</div>
</body> 
</html>

---

From Comments:

The error occurs when hitting the form submit button. This is taking place online with an actual web host.

Therefore I would place a strong suspicion that the error is caused by the improper / inexact usage of PHP header() function, as referenced in my comments.

Replace your header block with the following:

    ...
    $mysql_admin->query($query);
    header("Location: http://scissle.com/index.php");
    exit;
    }

This will give the server an exact address to follow rather than a simple / as you currently have.

Also added an exit; after the header as recommended.