Can AJAX pass the string "select from"?

JavaScript and client side scripting.

Moderator: General Moderators

Post Reply
Dr.Goodvibes
Forum Newbie
Posts: 19
Joined: Wed May 24, 2006 10:14 am
Location: New Zealand

Can AJAX pass the string "select from"?

Post by Dr.Goodvibes »

It's got to be the dumbest question I've asked, but it's driving me nuts.

After much debugging I found the reason my form data was not being submitted was because a textarea field has the words (string) "select from" as in, "select from the colour list", located in it.

I created a small test script in the hope that someone can look at it and see where I've gone wrong and help me out.

The script is not big and it's not smart but it defines the problem.
If I remove the Content-Type: application/x-www-form-urlencoded header the script works and it passes the string "select from", but I'm not sure that's the answer.

It seems that any other combination of the english language is fine and can be passed without problems.

File: sendAjaxClient.php

Code: Select all

 
<?php
 
 // Get the current directory.
 $uri=pathinfo($_SERVER["REQUEST_URI"],PATHINFO_DIRNAME);
 
?>
<html>
<head>
<title>AJAX test</title>
 
<script type="text/javascript" >
 
function updateConnection(){
 
  // If you try to pass 'select from' as a POST variable is fails. 
  // Anything else seems to pass.
  // Tested in FF 3.5.3, IE 8 and Opera 10.0
 
  [color=#FF4040]var p = 'var1='+encodeURIComponent('select from');[/color]
 
  xhr=new XMLHttpRequest();
  if(xhr.readyState==4||xhr.readyState==0){
    try{
      xhr.onreadystatechange =function(){
        return function(){
          if(xhr.readyState==4&&xhr.status==200){
            try{updateCompleted(xhr.responseXML);}
            catch(e){alert('XHR Error: '+e.message);return false;}
          }
        }
      }();
      xhr.open("POST","<?php echo $uri?>/sendAjaxServer.php",true);
      xhr.setRequestHeader("X-Requested-With","XMLHttpRequest");
      xhr.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
      xhr.send(p);
    }catch(e){alert('XHR Error: '+e.message);return false;}   
    
  }
 
  alert("AJAX readyState: "+xhr.readyState);
 
  return false;
}
 
function updateCompleted(resp){
 
  var xres = resp.documentElement;
  var msg=xres.getAttribute("msg");
 
  alert("Operation successful.\r\n\r\n"+msg+"\r\n\r\n");
} 
 
</script>
</head>
<body>
<form name="f1" method="post" action="/ajaxTest" onsubmit="return updateConnection();" >
<fieldset>
<input  type="submit" name="submit" value="Submit" >
</fieldset>
</form>
</body>
</html>
 
File: sendAjaxServer.php

Code: Select all

 
<?php
 
   $msg="AJAX returned: ";
   $posted=array();
 
    while(list($label,$val) = each($_POST)) {
      $posted[$label]=$val; 
    }
 
    if(isset($posted["var1"])){ 
      $varData=$posted["var1"];
      if(get_magic_quotes_gpc())
        $varData = stripslashes($varData);
      $msg.=$varData;
    }
    else $msg.="no data as POST var1 not found";
 
    $xmlResponse='<xreturn msg="'.$msg.'"/>'; 
 
    header('Expires: Tue, 28 Jun 2005 00:30:00 GMT');
    header('Last-Modified: '.gmdate('D, d m y H:i:s') . ' GMT');
    header('Cache-Control: no-cache, no-store, must-revalidate, max-age=0');
    header('Content-Type: text/xml');
 
    $doc = new DOMDocument('1.0');
    $doc->loadXML($xmlResponse);
    echo $doc->saveXML();
 
?>
 
When testing, an alert is displayed showing the current ready state. If a second alert doesn't display with a return value from the server ... something is wrong.

When I ruled out Jquery and a ton of other stuff I thought I'd implemented some sort of SQL injection parser as you could have "select ted from the rest of the text" and it still failed. If you just have "from" or "select" it passes OK.

Thank you for any help.
Dr.Goodvibes
Forum Newbie
Posts: 19
Joined: Wed May 24, 2006 10:14 am
Location: New Zealand

Re: Can AJAX pass the string "select from"?

Post by Dr.Goodvibes »

Doh!!!

I just moved the script onto my PC and tried it there.

It works OK.

I soooo hate that.

Oh well back to the debugging

I hope it's not some ISP server side thing trying to be smart.

Sorry for the trouble...
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Re: Can AJAX pass the string "select from"?

Post by Weirdan »

Dr.Goodvibes wrote:I hope it's not some ISP server side thing trying to be smart.
I'm pretty sure it is hosting issue - looks like an attempt to prevent sql injections.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Can AJAX pass the string "select from"?

Post by VladSun »

Most probably it's Apache with Suhosin patch.
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Re: Can AJAX pass the string "select from"?

Post by Weirdan »

VladSun wrote:Most probably it's Apache with Suhosin patch.
Did you mean mod_security? I do not know of any settings in Suhosin that would cause 'select from' string to fail the request.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Can AJAX pass the string "select from"?

Post by VladSun »

Oops :oops: of course :)
There are 10 types of people in this world, those who understand binary and those who don't
Post Reply