0

bstory is a contenteditable div and typing inside - it sends the content to remote database
everything works except - if the content is - for example - session_start - I'm getting error 403 in console
on php side I'm using PDO
inside this table I want to store code snippets from various programming languages, but obviously there is a flag - even if PDO is used

how to do this, pls

$('#bstory').on('input', function(){
    let id = get_id();
    let story = $(this).text().trim();
    $.post('pro.php', {fn: 'bstory_input', args:[id, story]}, function(data){  // line 183
        console.log(data);  // error
    });
});

php

function bstory_input($id, $story){
    global $db;
    $sq = "update nts set story = :astory where id = :aid";
    $st = $db->prepare($sq);
    $st->execute([
        ":astory" => $story,
        ":aid" => $id
    ]);
}

so typing letters - session_start - no problem
but - session_start - gives the error

console:

POST https://example.com/pro.php 403

expanding the error content in console:

send    @   jquery.min.js:2
ajax    @   jquery.min.js:2
w.<computed>    @   jquery.min.js:2
(anonymous) @   index.js?1642744838:183
dispatch    @   jquery.min.js:2
y.handle    @   jquery.min.js:2
provance
  • 877
  • 6
  • 10
  • Shot in the dark, looks like your code may be susceptible to an injection attack, perhaps certain words are confusing the SQL and causing the DB to throw an error, try looking at [this](https://stackoverflow.com/questions/7744912/making-a-javascript-string-sql-friendly/7760578) post and see if that helps – Patrick Barr Jan 20 '22 at 23:04
  • @PatrickBarr - half of the web is about glorifaying PDO security. And now - what? Anyway - thanks a lot – provance Jan 20 '22 at 23:13
  • 1
    Can you provide an example of input being passed? Also is a WAF in place, and/or any XSS injection headers in use (e.g. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection)? – user3783243 Jan 20 '22 at 23:18
  • @PatrickBarr What injection type are you referring to? A prepared statement would quote the input and escape anything being bound. SQL syntax should not make a difference..that would defeat prepared statements. – user3783243 Jan 20 '22 at 23:19
  • @user3783243 - `session_star` - no problem, but `session_start` - error - regardles what content is before or after this string – provance Jan 20 '22 at 23:32
  • `session_star` is not a thing. `session_start` is but it unrelated to what you posted. What is the error? The issue is a 403 being served or a PHP error? – user3783243 Jan 21 '22 at 03:17
  • @user3783243 - see my update, pls – provance Jan 21 '22 at 06:11
  • That is just a network request and the forbidden status code. What does the network tab show for form data,and request and response headers? – user3783243 Jan 21 '22 at 13:11

0 Answers0