Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 13 of 13
  1. #1
    New Coder
    Join Date
    Nov 2011
    Posts
    54
    Thanks
    4
    Thanked 0 Times in 0 Posts

    Problem with passing query strings via GET that contain URL's

    Hi all - I have a PHP app that calls another page and passes a user entered URL (from a form) as a GET.

    An example of the query string is :

    hxxp://mydomain.com/admin/main.php?dUrl=http%3A%2F%2Fexample.com

    One one of my servers (using Apache/Cpanel) it works just fine!

    If I install the same software on another of my servers (Apache/Cpanel again) from a different hosting company it doesn't work!

    It comes up with the following error :

    Code:
    Forbidden
    
    You don't have permission to access /admin/main.php on this server.
    
    Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
    Apache mod_qos/9.69 mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at mydomainname.com Port 80
    If I take the % coded chars out of the url so it looks like this :

    hxxp://mydomain.com/admin/main.php?dUrl=httpexample.com

    Then it will work just fine. It is obviously a config thing on the server as it works perfectly on my server from my other host. Thing is, this script is going to be distributed to people with a wide collection of servers so I really need to solve it programmatically rather than by altering server settings.

    Does anyone have any ideas please?
    Last edited by spman; 11-23-2011 at 05:59 PM.

  • #2
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    This doesn't appear to be a problem with PHP. It appears to be a problem with your host as the error specifies privilege issue on a specific script. Could potentially be a rewrite issue, but doesn't appear to be.
    I assumed as well that your url was encoded with urlencode or similar method. Since its a link, it gets truncated by text here. The link itself appears wrong here though, so you may want to verify that it has indeed been encoded first.

  • #3
    New Coder
    Join Date
    Nov 2011
    Posts
    54
    Thanks
    4
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Fou-Lu View Post
    This doesn't appear to be a problem with PHP. It appears to be a problem with your host as the error specifies privilege issue on a specific script. Could potentially be a rewrite issue, but doesn't appear to be.
    I assumed as well that your url was encoded with urlencode or similar method. Since its a link, it gets truncated by text here. The link itself appears wrong here though, so you may want to verify that it has indeed been encoded first.
    Hi Fou-Lu - Thank you for the reply.

    I have copied and pasted the URL string from the browser bar (I only put the HXXP in stop the BB software from encoding it as a link - forgot about the tick box LOL)

    Basically, the URL is passed from an HTML form as follows :

    Code:
    <form name="urlform" method="GET" action="main.php">
    <input type="text" value="" name="dUrl" />
    <input type="submit" name="func" value="Next" />
    (form code modified for brevity)

    If I type (for example) "http://example.com" into the text box on the form then (on submit) it calls 'main.php' with the following querystring :

    http://mydomain.com/admin/main.php?dUrl=http%3A%2F%2Fexample.com

  • #4
    New Coder
    Join Date
    Nov 2011
    Posts
    54
    Thanks
    4
    Thanked 0 Times in 0 Posts
    NOTE: Worth noting I have replaced the actual domain name with mydomain.com everywhere in my posts (including in the server generated error message) for the sake of simplicity.

  • #5
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    yep, no that's fine. The default action of a form is to send an enctype of application/x-www-form-urlencoded. So this is fine.
    Sounds to me like something else is happening, which will be server related and not PHP related.

  • #6
    New Coder
    Join Date
    Nov 2011
    Posts
    54
    Thanks
    4
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Fou-Lu View Post
    yep, no that's fine. The default action of a form is to send an enctype of application/x-www-form-urlencoded. So this is fine.
    Sounds to me like something else is happening, which will be server related and not PHP related.
    I suspect you are correct LOL! However I just don't understand what!

    I have created two simple files on the server - test.php and main.php.

    The contents are as follows :

    test.php:
    Code:
    <html>
    <head></head>
    <body>
    <form name="urlform" method="GET" action="main.php">
    Enter text :
    <input type="text" value="" name="dUrl" />
    <input type="submit" name="func" value="Next" />
    </body>
    </html>
    main.php:
    Code:
    <?php
    echo ("The data is : " . $_GET["dUrl"]);
    ?>
    If I run test.php and enter a string such as "testing" then it works perfectly if I enter, for example, "http: //ford.com" then the 403 happens! This just shouldn't happen and I am really tearing my hair out now LOL!

    HOWEVER: If I change the method from GET to POST it works perfectly! This is just weird now!

    EDIT: However, due to other aspects of the code I can't just change all the GET's to POST's as I have one section of the program that is accessed by a HREF link and passes data (URL data) via a querystring so has to use the GET method!
    Last edited by spman; 11-23-2011 at 11:43 PM.

  • #7
    New Coder
    Join Date
    Nov 2011
    Posts
    54
    Thanks
    4
    Thanked 0 Times in 0 Posts
    Just noticed that exactly the same problem was had by another poster. He is also using the same hosting provider (hostgator) as me!

    Here is the link : http://www.codingforums.com/showthread.php?t=233958

    He asked the host to change a mod_security rule and it solved the problem - Thing is, I would really like to get over this in code somehow as I can't be sure of the level of technical ability of the people who will be getting this script.

  • #8
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    Lol forgot about that one.
    BTW, if you can try posting it instead of sending it through get. To me, it sounds like for whatever reason hostgator is shaping your input which they should not be doing. I'd personally rule them out as a potential host just for this reason, and I wouldn't explicitly make a generic script just to work with them.

  • #9
    New Coder
    Join Date
    Nov 2011
    Posts
    54
    Thanks
    4
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Fou-Lu View Post
    Lol forgot about that one.
    BTW, if you can try posting it instead of sending it through get. To me, it sounds like for whatever reason hostgator is shaping your input which they should not be doing. I'd personally rule them out as a potential host just for this reason, and I wouldn't explicitly make a generic script just to work with them.
    Hi Fou-Lu,

    Yup, POST rather than GET works perfectly! I have also noticed that if I have the same url and query string as a link it works perfectly, simply because the querystring contains the actual 'http://' chars rather than the escaped version of the colon and slashes that the form passes in the query string.

    So, it would seem, that hostgator just doesn't allow the escaped chars - It really is weird and I would have expected better from such a huge hosting company as hostgator!

  • #10
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,364
    Thanks
    61
    Thanked 530 Times in 517 Posts
    Why not just base64_encode() the urls before putting into the url as a parameter? - Then on the server side when clicked you can just base64_decode() and get the original value from it.

    Job done.
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • #11
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    Quote Originally Posted by tangoforce View Post
    Why not just base64_encode() the urls before putting into the url as a parameter? - Then on the server side when clicked you can just base64_decode() and get the original value from it.

    Job done.
    This sounds like a good approach to try as well, but it may depend on where the issue first crops up. With the description of the problem, I'd expect a standard get method form wouldn't operate correctly since you cannot encode in base64 during the submission phase. Beyond that, yes I'd expect (at least hope :P) that the base64 wouldn't be shaped.
    Ultimately I'd say the problem is still the host's shaping.

    Edit:
    Actually wait a sec. What does the multipart/form-data do with the data? Does it encode string input still under standard url-encode, or does it move it to base64 encode?
    Last edited by Fou-Lu; 11-24-2011 at 04:45 PM.

  • #12
    New Coder
    Join Date
    Nov 2011
    Posts
    54
    Thanks
    4
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by tangoforce View Post
    Why not just base64_encode() the urls before putting into the url as a parameter? - Then on the server side when clicked you can just base64_decode() and get the original value from it.

    Job done.
    Quote Originally Posted by Fou-Lu View Post
    This sounds like a good approach to try as well, but it may depend on where the issue first crops up. With the description of the problem, I'd expect a standard get method form wouldn't operate correctly since you cannot encode in base64 during the submission phase. Beyond that, yes I'd expect (at least hope :P) that the base64 wouldn't be shaped.
    Ultimately I'd say the problem is still the host's shaping.

    Edit:
    Actually wait a sec. What does the multipart/form-data do with the data? Does it encode string input still under standard url-encode, or does it move it to base64 encode?
    Good ideas guys about the base64 encoding (and I am sure it would work) but it be done because, as Fou-Lu says, you can't really do anything in the form submission phase as far as PHP is concerned - I suppose I could do it in Javascript and store the encoded string to a hidden field when the input field loses focus but that would still leave the original input field passed in the querystring which would break it again! Arrgghhh LOL!

  • #13
    New Coder
    Join Date
    Nov 2011
    Posts
    54
    Thanks
    4
    Thanked 0 Times in 0 Posts
    I've resigned myself to rewriting the code using POST instead of GET - The few HREF links that pass URL's in querystrings actually pass them un-escaped so they work just fine!

    I just hate having to rewrite code because certain host's are too draconian with their security measures!


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •