0

I have a form on an HTML webpage that sends a user's comment and name to a MySQL database table, where it is stored, and then included back onto the page. The problem is, if the user's name has an apostrophe in it, the server (I pay for hosting, it's not my server and I can't change the configuration on it) is sending them to a error page that says:

"The requested URL was rejected. If you think this is an error, please contact the webmaster. Your support ID is: 13509873612934211694"

UPDATE:

I just completely rewrote the page using a different php format. Now the apostrophe issue and the server error is fixed. However, the page is sending blank entries to the database on every page load. Any ideas?

  <?php 
  $servername = "my_server";
  $username = "my_username";
  $password = "my_password";
  $dbname = "my_database";
  $users_name = htmlentities($_POST['name'], ENT_QUOTES, 'UTF-8');
  $users_request = $_POST['requests'];
  if ($_SERVER["REQUEST_METHOD"] == "POST") {
     }
  try {
     $conn = new PDO("mysql:host=$servername;dbname=$dbname", $username,
     $password);
     $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
     $conn->beginTransaction();
     $conn->exec("INSERT INTO submissions (requests, name)
     VALUES ('$users_request', '$users_name')");
     $conn->commit();
         header("Location: clv3.php");
     }
 catch(PDOException $e)
     {
     $conn->rollback();
     echo "Error: " . $e->getMessage();
     }
 $conn = null;
 ?>
<form method="POST" action="<?php echo
htmlspecialchars($_SERVER["PHP_SELF"]);?>">
Make A Request:<br>
<textarea name='requests' id='requests'></textarea> <br>
Your Name (a-z only):<br>
<input type='text' name='name' id='name'/><br>
<input type='submit' value='Send' class='button'>  
</form>
Phaewryn
  • 23
  • 6
  • Have you tried `$users_name = "\'".$_POST['name'];` like this? – Kausha Mehta Aug 22 '17 at 07:14
  • 1
    @KaushaMehta — (a) That would have no effect on `'` characters inside the submitted data. (b) That doesn't solve the problem that the data isn't making it to the PHP in the first place. – Quentin Aug 22 '17 at 08:33
  • I'm no javascript expert but a quick search I found [onsubmit](https://www.w3schools.com/jsref/event_onsubmit.asp) – ryantxr Aug 23 '17 at 00:15
  • @KaushaMehta that does not work, it still goes to the same error page. – Phaewryn Aug 23 '17 at 04:02
  • @ryantxr I have tried a few versions of that, but I can't get anything to work piecing together code snippets from here and there. The problem seems to be that that javascript actually runs at the same time as the submit runs, thus, it's still going to the server error page because it's not fixing the apostrophe before it submits the form. So then I tried to make it trigger on the name field losing focus, nope, I found onkeyup, but the fact is, I do not know enough javascript to write a functioning script that replaces ' with '. Feel free to keep offering links to tutorials that may help – Phaewryn Aug 23 '17 at 04:25
  • See this https://stackoverflow.com/questions/4517366/change-form-values-after-submit-button-pressed#4517530 – ryantxr Aug 23 '17 at 04:32
  • @ryantxr That looks like it has potential. Time to sleep, I'll play around using that info tomorrow. Thanks. – Phaewryn Aug 23 '17 at 05:15

2 Answers2

-1

Ever heard of SQL injection? This is one you create...

Always escape your data! You are now pushing data given by user directly into database.

$name = mysqli_real_escape_string($conn, $_POST['name']);
$comments = mysqli_real_escape_string($conn, $_POST['comments']);

Also you can encode special chars before insert, and decode when showing

eL-Prova
  • 1,084
  • 11
  • 27
  • The server (presumably via something like mod_security) is blocking the data before it even gets to PHP. You can't fix the problem using PHP so this doesn't address the problem. – Quentin Aug 22 '17 at 08:32
  • @eL-Prova Yes, of course I know I need to secure the form, currently it is not public-facing and I'm working on one problem at a time. I added: $requests = mysqli_real_escape_string($link, $_POST['requests']); I'm not sure where I would place the items you suggest into the code, can you post the whole code snippet with them placed in the correct location? – Phaewryn Aug 22 '17 at 23:11
  • @Quentin Do you think I could do some magic with javascript to replace the apostrophes with a ' on focusout or some such action in the input field? I don't know javascript, but it seems like it might be possible? – Phaewryn Aug 22 '17 at 23:15
  • @eL-Prova HOW can I encode the special characters BEFORE they are submitted via the form (it can't be before they are inserted into the database, as it's never making it to the database, it needs to be triggered BEFORE it is sent). Maybe javascript to copy the characters to a hidden secondary input with a str.replace between the two. How do you say "if the user inputs ', then send through this filter and copy to the conversion to the secondary field and input that field with the submit instead? It should be possible, but I don't know scripting enough to figure out how to write the code. – Phaewryn Aug 23 '17 at 04:00
  • @Phaewryn https://www.w3schools.com/jsref/jsref_encodeuri.asp can help you. What you correcly said, javascript should encode so it goes encoded over the line. However I expect you can also get the value correctly on the server side where you can encode it, am I correct? – eL-Prova Aug 24 '17 at 07:11
  • @eL-Prova I'm using a POST function not a get function, so I don't think encoding the uri is going to do anything. I don't know what you mean by getting the value on the server side. No I can't submit to the server at all if the input has a special character in it, it is blocked by the server security software the moment it is submitted. That is the problem I am trying to solve. – Phaewryn Aug 24 '17 at 20:48
-1

Did you perhaps try:

encodeURI(yourString)

Then on php side you do:

url_decode($_POST['myVariable'])
Alen Šimunic
  • 555
  • 1
  • 7
  • 19