I'm trying to make an ajax request with jquery, but I'm getting 403 Forbidden error each time I'm sending php functions. An example of what I need is this stackoverflow comment input which accepts source code also.
What I've done:
PHP
class Error {
public function __construct() {
// etc
}
public function comment($error_id, $content) {
if(!$this->user->loged)
return false;
$error_id = $this->mysqli->real_escape_string($error_id);
if(!is_numeric($error_id))
return false;
$this->mysqli->query("INSERT INTO comments
VALUES (NULL, '" . $error_id . "', '" . $this->user->user_id . "', '" . $content . "', NULL)");
return $this->mysqli->insert_id;
}
}
where $content
is escaped using escapeString
function inside Common
class:
public function escapeString($text) {
return htmlspecialchars($this->mysqli->real_escape_string($text));
}
my JS is:
$('div.left-content').on('click','form.comment input[type=button]',function(){
$but = $(this);
if(!erori.user.loged) {
showTooltip($but, 'Trebuie să fii autentificat pentru a putea comenta!');
return false;
}
if($but.prev('textarea').val() == $but.prev('textarea').data("text") || $but.prev('textarea').val().trim() == '') {
showTooltip($but, 'Completează câmpul de text pentru a putea trimite comentariul!');
return false;
}
if($but.prev('textarea').hasClass('disabled'))
return false;
$but.attr('disabled', 'disabled');
$but.prev('textarea').addClass('disabled');
$.post(
$but.parent().attr('action'),
$but.parent().serialize(),
function(data){
if(data.content) {
$('<div class="comment"></div>').html(data.content).insertBefore($but.parent().parent());
if($but.prev('textarea').hasClass('disabled'))
$but.prev('textarea').val('').trigger('blur').animate({height: '20px'}, 300);
$but.prev('textarea').removeClass('disabled');
}
$but.removeAttr('disabled');
},
'json')
.fail(function(xhr, textStatus, errorThrown) {
if(errorThrown == 'Forbidden') {
showTooltip($but, 'Comentariul nu a putut fi trimis!<br />Dacă vrei să trimiți sursă de cod folosește <strong>` cod sursă `</strong>!');
$but.prev('textarea').removeClass('disabled');
$but.removeAttr('disabled');
return false;
}
})
});
and the action code is:
$error = new Error($mysqli, $user);
$content = $common->escapeString($_POST['error_comment']);
$comment_id = $error->comment($_POST['error_id'], $content);
How to escape the source code before sending it to server, for not getting back this 403 Forbidden error?
What I'm trying to say is that if I'm trying to comment for example: This is my comment with <?php $sql = mysql_query(); ?>
the server is throwing 403 error code!