Page 1 of 1

Can AJAX pass the string "select from"?

Posted: Mon Oct 05, 2009 10:40 pm
by Dr.Goodvibes
It's got to be the dumbest question I've asked, but it's driving me nuts.

After much debugging I found the reason my form data was not being submitted was because a textarea field has the words (string) "select from" as in, "select from the colour list", located in it.

I created a small test script in the hope that someone can look at it and see where I've gone wrong and help me out.

The script is not big and it's not smart but it defines the problem.
If I remove the Content-Type: application/x-www-form-urlencoded header the script works and it passes the string "select from", but I'm not sure that's the answer.

It seems that any other combination of the english language is fine and can be passed without problems.

File: sendAjaxClient.php

Code: Select all

 
<?php
 
 // Get the current directory.
 $uri=pathinfo($_SERVER["REQUEST_URI"],PATHINFO_DIRNAME);
 
?>
<html>
<head>
<title>AJAX test</title>
 
<script type="text/javascript" >
 
function updateConnection(){
 
  // If you try to pass 'select from' as a POST variable is fails. 
  // Anything else seems to pass.
  // Tested in FF 3.5.3, IE 8 and Opera 10.0
 
  [color=#FF4040]var p = 'var1='+encodeURIComponent('select from');[/color]
 
  xhr=new XMLHttpRequest();
  if(xhr.readyState==4||xhr.readyState==0){
    try{
      xhr.onreadystatechange =function(){
        return function(){
          if(xhr.readyState==4&&xhr.status==200){
            try{updateCompleted(xhr.responseXML);}
            catch(e){alert('XHR Error: '+e.message);return false;}
          }
        }
      }();
      xhr.open("POST","<?php echo $uri?>/sendAjaxServer.php",true);
      xhr.setRequestHeader("X-Requested-With","XMLHttpRequest");
      xhr.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
      xhr.send(p);
    }catch(e){alert('XHR Error: '+e.message);return false;}   
    
  }
 
  alert("AJAX readyState: "+xhr.readyState);
 
  return false;
}
 
function updateCompleted(resp){
 
  var xres = resp.documentElement;
  var msg=xres.getAttribute("msg");
 
  alert("Operation successful.\r\n\r\n"+msg+"\r\n\r\n");
} 
 
</script>
</head>
<body>
<form name="f1" method="post" action="/ajaxTest" onsubmit="return updateConnection();" >
<fieldset>
<input  type="submit" name="submit" value="Submit" >
</fieldset>
</form>
</body>
</html>
 
File: sendAjaxServer.php

Code: Select all

 
<?php
 
   $msg="AJAX returned: ";
   $posted=array();
 
    while(list($label,$val) = each($_POST)) {
      $posted[$label]=$val; 
    }
 
    if(isset($posted["var1"])){ 
      $varData=$posted["var1"];
      if(get_magic_quotes_gpc())
        $varData = stripslashes($varData);
      $msg.=$varData;
    }
    else $msg.="no data as POST var1 not found";
 
    $xmlResponse='<xreturn msg="'.$msg.'"/>'; 
 
    header('Expires: Tue, 28 Jun 2005 00:30:00 GMT');
    header('Last-Modified: '.gmdate('D, d m y H:i:s') . ' GMT');
    header('Cache-Control: no-cache, no-store, must-revalidate, max-age=0');
    header('Content-Type: text/xml');
 
    $doc = new DOMDocument('1.0');
    $doc->loadXML($xmlResponse);
    echo $doc->saveXML();
 
?>
 
When testing, an alert is displayed showing the current ready state. If a second alert doesn't display with a return value from the server ... something is wrong.

When I ruled out Jquery and a ton of other stuff I thought I'd implemented some sort of SQL injection parser as you could have "select ted from the rest of the text" and it still failed. If you just have "from" or "select" it passes OK.

Thank you for any help.

Re: Can AJAX pass the string "select from"?

Posted: Mon Oct 05, 2009 10:59 pm
by Dr.Goodvibes
Doh!!!

I just moved the script onto my PC and tried it there.

It works OK.

I soooo hate that.

Oh well back to the debugging

I hope it's not some ISP server side thing trying to be smart.

Sorry for the trouble...

Re: Can AJAX pass the string "select from"?

Posted: Thu Oct 29, 2009 9:31 pm
by Weirdan
Dr.Goodvibes wrote:I hope it's not some ISP server side thing trying to be smart.
I'm pretty sure it is hosting issue - looks like an attempt to prevent sql injections.

Re: Can AJAX pass the string "select from"?

Posted: Fri Oct 30, 2009 3:22 am
by VladSun
Most probably it's Apache with Suhosin patch.

Re: Can AJAX pass the string "select from"?

Posted: Fri Oct 30, 2009 7:20 pm
by Weirdan
VladSun wrote:Most probably it's Apache with Suhosin patch.
Did you mean mod_security? I do not know of any settings in Suhosin that would cause 'select from' string to fail the request.

Re: Can AJAX pass the string "select from"?

Posted: Sat Oct 31, 2009 4:57 am
by VladSun
Oops :oops: of course :)