By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
437,831 Members | 2,237 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 437,831 IT Pros & Developers. It's quick & easy.

_POST is empty if a lot is entered into textarea in form

P: n/a
PHP 4.4 and PHP 5.2.3 on ubuntu.

I am running Moodle 1.5.3 and have recently had a problem when updating
a course. The $_POST variable is empty but only if a lot of text was
entered into the textarea on the form. If only a short text is entered
it works fine.

I have increased the post_max_size from 8M to 200M but this has not helped.

I have googled for an answer but have been unable to find one.

HTTP Headers on firefox shows the content size of 3816 with the correct
data, so its just not getting to $_POST.

Thanks for your assistance.
Oct 16 '08 #1
Share this Question
Share on Google+
4 Replies


P: n/a
Puzzled schreef:
PHP 4.4 and PHP 5.2.3 on ubuntu.

I am running Moodle 1.5.3 and have recently had a problem when updating
a course. The $_POST variable is empty but only if a lot of text was
entered into the textarea on the form. If only a short text is entered
it works fine.

I have increased the post_max_size from 8M to 200M but this has not helped.

I have googled for an answer but have been unable to find one.

HTTP Headers on firefox shows the content size of 3816 with the correct
data, so its just not getting to $_POST.

Thanks for your assistance.
Hi,

3816 bytes of data in a postfield should be no problem at all. I have
posted megabytes without any problem.

I don't know the first thing about Moodle, but I suggest you try this
out again with your own simple script, and see what happens.

If you still hit a 3816 bytes for a formfield, you have found a bug in
PHP (or ubuntu).
If you can post normally: something in Moodle is causing this problem
(but I have no clue WHAT of course, since I don't know moodle.)

Please report back with your findings.

Regards,
Erwin Moller

--
Oct 17 '08 #2

P: n/a
On Thu, 16 Oct 2008 16:25:25 +0100, Puzzled <Pu*****@discussions.com>
wrote:
>PHP 4.4 and PHP 5.2.3 on ubuntu.

I am running Moodle 1.5.3 and have recently had a problem when updating
a course. The $_POST variable is empty but only if a lot of text was
entered into the textarea on the form. If only a short text is entered
it works fine.

I have increased the post_max_size from 8M to 200M but this has not helped.

I have googled for an answer but have been unable to find one.

HTTP Headers on firefox shows the content size of 3816 with the correct
data, so its just not getting to $_POST.

Thanks for your assistance.
What is the HTTP status code you get? What do your server logs say?
This might be a problem with your server, not PHP.
Curtis
email: s/sig.invalid/gmail.com/;
Oct 25 '08 #3

P: n/a
Curtis wrote:
Puzzled wrote:
>Curtis wrote:
>>On Thu, 16 Oct 2008 16:25:25 +0100, Puzzled <Pu*****@discussions.com>
wrote:

PHP 4.4 and PHP 5.2.3 on ubuntu.

I am running Moodle 1.5.3 and have recently had a problem when
updating a course. The $_POST variable is empty but only if a lot of
text was entered into the textarea on the form. If only a short text
is entered it works fine.

I have increased the post_max_size from 8M to 200M but this has not
helped.

I have googled for an answer but have been unable to find one.

HTTP Headers on firefox shows the content size of 3816 with the
correct data, so its just not getting to $_POST.

Thanks for your assistance.

What is the HTTP status code you get? What do your server logs say?
This might be a problem with your server, not PHP.
Curtis
email: s/sig.invalid/gmail.com/;


The text I am testing with is a single string of characters (with html
tags). If I hit return every 1000 characters or so the POST works
correctly, but it is impossible to request that the users do this.

As Erwin suggested, testing with a simple script would be a wise course
of action, which should tell you if it's a problem with moodle or
something else. Don't forget to report back your findings.
Thanks for the advice.

I finally traced the problem to a required file which contained an if
statement that appears to be validating text.

foreach ($_REQUEST as $key =$val)
{
if (
preg_match('/eval.*\(|system.*\(|passthru.*\(|exec.*\(|include| require_once|move_uploaded_file.*\(/i',
$val) )
{
exit;
}
}

I have now amended the code to be

if (
preg_match('/eval\s*\(|system\s*\(|passthru\s*\(|exec\s*\(|incl ude|require_once|move_uploaded_file\s*\(/i',
$val) )
{
exit;
}

This should mean that no longer matches the several lines of text
between the word "system" and the "(" in the text I was testing with.

Oct 29 '08 #4

P: n/a
On Wed, 29 Oct 2008 13:22:36 +0100, Puzzled <Pu*****@discussions.com>
wrote:
Curtis wrote:
>Puzzled wrote:
>>Curtis wrote:
On Thu, 16 Oct 2008 16:25:25 +0100, Puzzled <Pu*****@discussions.com>
wrote:

PHP 4.4 and PHP 5.2.3 on ubuntu.
>
I am running Moodle 1.5.3 and have recently had a problem when
updating a course. The $_POST variable is empty but only if a lot of
text was entered into the textarea on the form. If only a short text
is entered it works fine.
>
I have increased the post_max_size from 8M to 200M but this has not
helped.
>
I have googled for an answer but have been unable to find one.
>
HTTP Headers on firefox shows the content size of 3816 with the
correct data, so its just not getting to $_POST.
>
Thanks for your assistance.

What is the HTTP status code you get? What do your server logs say?
This might be a problem with your server, not PHP.
Curtis
email: s/sig.invalid/gmail.com/;
The text I am testing with is a single string of characters (with html
tags). If I hit return every 1000 characters or so the POST works
correctly, but it is impossible to request that the users do this.
As Erwin suggested, testing with a simple script would be a wise
course of action, which should tell you if it's a problem with moodle
or something else. Don't forget to report back your findings.

Thanks for the advice.

I finally traced the problem to a required file which contained an if
statement that appears to be validating text.

foreach ($_REQUEST as $key =$val)
{
if (
preg_match('/eval.*\(|system.*\(|passthru.*\(|exec.*\(|include| require_once|move_uploaded_file.*\(/i',
$val) )
{
exit;
}
}

I have now amended the code to be

if (
preg_match('/eval\s*\(|system\s*\(|passthru\s*\(|exec\s*\(|incl ude|require_once|move_uploaded_file\s*\(/i',
$val) )
{
exit;
}
Might I add that any system relying on this for security is inherently and
tremendously flawed? It shouldn't be needed, and in its current form is
easily circumventable by for instance using the backtick operator (`mv
{$_FILES['name']['tmp_name']} /var/www/.htpaswd`), or doing something like:

$func = 'move_uploaded_file';
call_user_func($func,$arg1,$arg2);

(perfectly possible, as there's no /s in the preg_match)

Futhermore, it's just completely ridiculous I cannot commit text like
"feels medieval (this was in practise in the 900's) to me". (Do a search
on medireview.)

If users can supply code you will run, you either trust them, or you
don't, and you don't let them add code, just text you simply do not try to
'run'. Any halfassed try to prevent only specific actions you don't want
are better handled by disallowing functions and other php.ini and user
settings. Any inspection of the string to disallow some actions is doomed
to fail unless one employs some very heavy duty inspection from something
like parsekit_compile_string() or token_get_all() (and no, I'm not
advocating using them in production for that kind of purpose).

Moral of the story: just remove that entire bit of code, and even possibly
drop this Moodle if this is their idea of security. I see they are at
version 1.9.3 BTW, maybe they fixed this. Any reason you are not
upgrading? Especially on widely used frameworks, updating to prevent known
hacks is _very_ important.
--
Rik
Oct 30 '08 #5

This discussion thread is closed

Replies have been disabled for this discussion.