0

I have a PHP document in which a user selects variables that are then posted to another PHP document that uses fputcsv to initiate a browser download of a csv file that is populated by a pgsql query. This was working fine but it has suddenly stopped and is resulting in a 405 Not Allowed error... I understand that this means that the method is not allowed but I'm not sure why this would suddenly be the case. Some research suggested that my isp may be to blame so I tried through my mobile hot spot and got the same result. I have tested in multiple browsers and none of them are working. The db is served by AWS.

<?php
// show error messages
ini_set('error_reporting', E_ALL);
ini_set("display_errors", 1);

$datea= $_POST["userDatea"];
$media= $_POST["userMedia"];
$datez= $_POST["userDatez"];
$media_names = "'".implode( "%','", $media)."%'";
//print_r($_POST);


//var_dump($media_names);

 if( !empty($_SERVER['REQUEST_METHOD']) && (strcasecmp($_SERVER['REQUEST_METHOD'], 'post')===0)  ) {
// Create connection
$conn = pg_connect("host= dbname= user= password=");//deleted info for security

// Check connection
if (!$conn) {
echo "Did not connect.\n";
exit;
}
$result = pg_query($conn,
"SELECT
p.store,
Count(b.starttime) as Plays

FROM
public.billing b,
public.medias m,
public.players p

WHERE
b.mediaitemid = m.id and
p.id = b.playerid and
m.name LIKE any (array[$media_names]) and
b.starttime >= date('$datea') and 
b.starttime < date('$datez')+1 and
m.startdate >  '2015-01-01' and

GROUP BY
p.store

ORDER BY
p.store;");

if (!$result) {
echo "Query failed.\n";
exit;
}

 $num_fields = pg_num_fields($result);
    $headers = array();

    for ($i = 0; $i < $num_fields; $i++) 
    {
        $headers[] = pg_field_name($result , $i);
    }

    $fp = fopen('php://output', 'w');
    if ($fp && $result)
    {
            header('Content-Type: text/csv');
            header('Content-Disposition: attachment; 
            filename="'.$_POST['filename'].'.csv"');
            header('Pragma: no-cache');
            header('Expires: 0');
            fputcsv($fp, $headers);

            while ($row = pg_fetch_row($result)) 
            {
                 fputcsv($fp, array_values($row));
            }
            die;

}
        exit('It works');
    }
?>
KevMoe
  • 443
  • 4
  • 21
  • Your code is vulnerable to [**SQL injection attacks**](https://en.wikipedia.org/wiki/SQL_injection). You should use [**pgsql**](http://us3.php.net/manual/en/function.pg-prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) prepared statements with bound parameters as described in [**this post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). – Alex Howansky Oct 05 '17 at 16:31
  • Does it matter that the post data is not anything that is written by the user, they are selected from an options menu?Would this cause the not allowed error? If so, why all of a sudden? – KevMoe Oct 05 '17 at 16:37
  • Nope, doesn't matter. Options menu is client-side and can be changed arbitrarily by the user. It is probably not related to your 405 issue. – Alex Howansky Oct 05 '17 at 17:15

0 Answers0