I've ran into a little problem.
I have a form which submits data to a database. All has worked perfectly until today discovered a little bug which I can not get my head around.
If I input the word "and" followed by a numeric character (EG: "and 10") I get a 403 forbidden error saying
You don't have permission to access /index.php on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an >ErrorDocument to handle the request.
I have cleaning on the form inputs, this is the function for cleaning
function make_safe($variable) {
$variable = mysql_real_escape_string(trim($variable));
return $variable;
}
I've tried it with and without the cleaning. Anyone any ideas on what may cause this error? I can't actually get anything from the error log because nothing is being put in there..
Edit: Full code below (Please note this is a very old project which has worked for years and this bug has only just been found!)
<?php
checksecurity(ABSENCE_ADD);
if(isset($_POST['submit'])) {
$todate = make_safe($_POST['dateto']);
$fromdate = make_safe($_POST['datefrom']);
$reason = make_safe($_POST['reason']);
$comments = make_safe($_POST['comments']);
$date1 = str_replace("/","-",$fromdate);
$newDate1 = date("Y-m-d", strtotime($date1));
$date2 = str_replace("/","-",$todate);
$newDate2 = date("Y-m-d", strtotime($date2));
$username = $_SESSION['username'];
$query_user = mysql_query("SELECT * FROM users WHERE username='{$_SESSION['username']}'");
while($row = mysql_fetch_array($query_user)) {
$userid = $row['id'];
if(empty($todate) || empty($fromdate) || empty($reason)) {
echo' You left out a field';
} else {
$query = "INSERT INTO `absences` (`id`, `fromdate`, `todate`, `reason`, `comments`, `username`, `userid` ) VALUES (NULL, '" . $newDate1 . "', '" . $newDate2 . "', '" . $reason . "', '" . $comments . "', '" . $username . "', '" . $userid . "')";
$hello = mysql_query($query) or die(mysql_error());
print $query;
}
}
} else {
?>
<form id="form" name="form" method="post" action="#">
<table width="820" border="0" cellspacing="0" cellpadding="0" class="content">
<thead>
<tr>
<th width="820" colspan="4"><strong>Request Absence</strong></th>
</tr>
</thead>
<tr>
<td>From (dd/mm/yyyy)</td>
<td><input name="datefrom" class="tcal"/></td>
<td>To (dd/mm/yyyy)</td>
<td><input name="dateto" class="tcal" /></td>
</tr>
<tr>
<td>Reason</td>
<td><select name="reason">
<option value="Illness/Injury">Illness/Injury</option>
<option value="Holiday">Holiday</option>
<option value="Family Engagement">Family Engagement</option>
<option value="School or College Commitment">School or College Commitment</option>
<option value="Employment Commitment">Employment Commitment</option>
<option value="Other">Other</option>
</select> </td>
<td>Comments</td>
<td><input name="comments" type="text" /></td>
</tr>
</table><br />
<input type="submit" name="submit" value="Add" /> <input type="reset" name="reset" value="Reset" />
</form>
<?
}
?>