1

I have an admin page (consists of a textarea) and save my posts into the database by using ajax and PHP. Sometimes ajax returns 403, sometimes not. PHP works perfectly but AJAX.

AJAX

serdata = 'text='+$("#ptext").val();
$.ajax({
  type:"POST",
  url:"../check/postcheck.php",
  data:serdata,
  cache:false,
  success:function(result){
    some html works
  },
  error:function(error){
    some html works
  }
});

I noticed that, when I write some special characters or some words that have meaning in SQL, get 403. So, I decided to create a method. For example, instead "SELECT", I write quoquoSELECTquoquo. So AJAX sends the word quoquoSELECTquoquo to PHP without error. PHP changes quoquoSELECTquoquo to "SELECT" and can save it into database perfectly. But, there are a lot of words or characters. So I have to do a lot of changes between ajax and php.

  • So, as I know, this problem is related to mod_security. Server's firewall doesn't accept some words and characters. But I don't want to disable mod_security because of SQL Injection. Am I disable mod_security for just a couple of files.
  • If not, is there any easy method to achieve this. I created at least 30 changes, but still get errors for some new words or simple characters. So I fed up to change words and characters again and again.

Some examples of errors and success,

AJAX sends quoquoselectquoquo , PHP changes it to "select" , no error.
AJAX sends quoquoselect" , PHP changes it to "select" , no error.
AJAX sends "select" , error 403.
AJAX sends (select) , sometimes error 403, sometimes no error
AJAX sends prnthsselect) , PHP changes it to (select) , no error.
AJAX sends & , error 403.
AJAX sends ndsymbl , PHP changes it to & , no error.

and the list goes on...

Phil
  • 157,677
  • 23
  • 242
  • 245
u238
  • 373
  • 4
  • 14
  • 1
    IIRC, mod_security sends a 406 when it bans a request, not a 403. Check your mod_security logs. This smells more like [SQL injection](https://en.wikipedia.org/wiki/SQL_injection) to me. – Alex Howansky Oct 30 '17 at 22:28
  • [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Phil Oct 30 '17 at 22:33
  • [403 Forbidden](https://en.wikipedia.org/wiki/HTTP_403) - check your logs, or ask your host for help. – random_user_name Oct 30 '17 at 22:56
  • I asked my host. They said, either they can create a whitelist for the words that cause error, or can disable mod_security completely. They were unable to create a whitelist for some pages. – u238 Oct 31 '17 at 13:40

1 Answers1

0

Try turning it off Mod Security & see if that works. I recently had trouble getting 403 errors from an ajax call to a php script - it would give a 403 if the content of the post contained the word 'include'. Turning off mod-security got it working until we found the rule that was at fault.

Dylan Hamilton-Foster
  • 848
  • 8
  • 7