473,324 Members | 2,178 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,324 software developers and data experts.

_POST is empty if a lot is entered into textarea in form

PHP 4.4 and PHP 5.2.3 on ubuntu.

I am running Moodle 1.5.3 and have recently had a problem when updating
a course. The $_POST variable is empty but only if a lot of text was
entered into the textarea on the form. If only a short text is entered
it works fine.

I have increased the post_max_size from 8M to 200M but this has not helped.

I have googled for an answer but have been unable to find one.

HTTP Headers on firefox shows the content size of 3816 with the correct
data, so its just not getting to $_POST.

Thanks for your assistance.
Oct 16 '08 #1
4 2555
Puzzled schreef:
PHP 4.4 and PHP 5.2.3 on ubuntu.

I am running Moodle 1.5.3 and have recently had a problem when updating
a course. The $_POST variable is empty but only if a lot of text was
entered into the textarea on the form. If only a short text is entered
it works fine.

I have increased the post_max_size from 8M to 200M but this has not helped.

I have googled for an answer but have been unable to find one.

HTTP Headers on firefox shows the content size of 3816 with the correct
data, so its just not getting to $_POST.

Thanks for your assistance.
Hi,

3816 bytes of data in a postfield should be no problem at all. I have
posted megabytes without any problem.

I don't know the first thing about Moodle, but I suggest you try this
out again with your own simple script, and see what happens.

If you still hit a 3816 bytes for a formfield, you have found a bug in
PHP (or ubuntu).
If you can post normally: something in Moodle is causing this problem
(but I have no clue WHAT of course, since I don't know moodle.)

Please report back with your findings.

Regards,
Erwin Moller

--
Oct 17 '08 #2
On Thu, 16 Oct 2008 16:25:25 +0100, Puzzled <Pu*****@discussions.com>
wrote:
>PHP 4.4 and PHP 5.2.3 on ubuntu.

I am running Moodle 1.5.3 and have recently had a problem when updating
a course. The $_POST variable is empty but only if a lot of text was
entered into the textarea on the form. If only a short text is entered
it works fine.

I have increased the post_max_size from 8M to 200M but this has not helped.

I have googled for an answer but have been unable to find one.

HTTP Headers on firefox shows the content size of 3816 with the correct
data, so its just not getting to $_POST.

Thanks for your assistance.
What is the HTTP status code you get? What do your server logs say?
This might be a problem with your server, not PHP.
Curtis
email: s/sig.invalid/gmail.com/;
Oct 25 '08 #3
Curtis wrote:
Puzzled wrote:
>Curtis wrote:
>>On Thu, 16 Oct 2008 16:25:25 +0100, Puzzled <Pu*****@discussions.com>
wrote:

PHP 4.4 and PHP 5.2.3 on ubuntu.

I am running Moodle 1.5.3 and have recently had a problem when
updating a course. The $_POST variable is empty but only if a lot of
text was entered into the textarea on the form. If only a short text
is entered it works fine.

I have increased the post_max_size from 8M to 200M but this has not
helped.

I have googled for an answer but have been unable to find one.

HTTP Headers on firefox shows the content size of 3816 with the
correct data, so its just not getting to $_POST.

Thanks for your assistance.

What is the HTTP status code you get? What do your server logs say?
This might be a problem with your server, not PHP.
Curtis
email: s/sig.invalid/gmail.com/;


The text I am testing with is a single string of characters (with html
tags). If I hit return every 1000 characters or so the POST works
correctly, but it is impossible to request that the users do this.

As Erwin suggested, testing with a simple script would be a wise course
of action, which should tell you if it's a problem with moodle or
something else. Don't forget to report back your findings.
Thanks for the advice.

I finally traced the problem to a required file which contained an if
statement that appears to be validating text.

foreach ($_REQUEST as $key =$val)
{
if (
preg_match('/eval.*\(|system.*\(|passthru.*\(|exec.*\(|include| require_once|move_uploaded_file.*\(/i',
$val) )
{
exit;
}
}

I have now amended the code to be

if (
preg_match('/eval\s*\(|system\s*\(|passthru\s*\(|exec\s*\(|incl ude|require_once|move_uploaded_file\s*\(/i',
$val) )
{
exit;
}

This should mean that no longer matches the several lines of text
between the word "system" and the "(" in the text I was testing with.

Oct 29 '08 #4
On Wed, 29 Oct 2008 13:22:36 +0100, Puzzled <Pu*****@discussions.com>
wrote:
Curtis wrote:
>Puzzled wrote:
>>Curtis wrote:
On Thu, 16 Oct 2008 16:25:25 +0100, Puzzled <Pu*****@discussions.com>
wrote:

PHP 4.4 and PHP 5.2.3 on ubuntu.
>
I am running Moodle 1.5.3 and have recently had a problem when
updating a course. The $_POST variable is empty but only if a lot of
text was entered into the textarea on the form. If only a short text
is entered it works fine.
>
I have increased the post_max_size from 8M to 200M but this has not
helped.
>
I have googled for an answer but have been unable to find one.
>
HTTP Headers on firefox shows the content size of 3816 with the
correct data, so its just not getting to $_POST.
>
Thanks for your assistance.

What is the HTTP status code you get? What do your server logs say?
This might be a problem with your server, not PHP.
Curtis
email: s/sig.invalid/gmail.com/;
The text I am testing with is a single string of characters (with html
tags). If I hit return every 1000 characters or so the POST works
correctly, but it is impossible to request that the users do this.
As Erwin suggested, testing with a simple script would be a wise
course of action, which should tell you if it's a problem with moodle
or something else. Don't forget to report back your findings.

Thanks for the advice.

I finally traced the problem to a required file which contained an if
statement that appears to be validating text.

foreach ($_REQUEST as $key =$val)
{
if (
preg_match('/eval.*\(|system.*\(|passthru.*\(|exec.*\(|include| require_once|move_uploaded_file.*\(/i',
$val) )
{
exit;
}
}

I have now amended the code to be

if (
preg_match('/eval\s*\(|system\s*\(|passthru\s*\(|exec\s*\(|incl ude|require_once|move_uploaded_file\s*\(/i',
$val) )
{
exit;
}
Might I add that any system relying on this for security is inherently and
tremendously flawed? It shouldn't be needed, and in its current form is
easily circumventable by for instance using the backtick operator (`mv
{$_FILES['name']['tmp_name']} /var/www/.htpaswd`), or doing something like:

$func = 'move_uploaded_file';
call_user_func($func,$arg1,$arg2);

(perfectly possible, as there's no /s in the preg_match)

Futhermore, it's just completely ridiculous I cannot commit text like
"feels medieval (this was in practise in the 900's) to me". (Do a search
on medireview.)

If users can supply code you will run, you either trust them, or you
don't, and you don't let them add code, just text you simply do not try to
'run'. Any halfassed try to prevent only specific actions you don't want
are better handled by disallowing functions and other php.ini and user
settings. Any inspection of the string to disallow some actions is doomed
to fail unless one employs some very heavy duty inspection from something
like parsekit_compile_string() or token_get_all() (and no, I'm not
advocating using them in production for that kind of purpose).

Moral of the story: just remove that entire bit of code, and even possibly
drop this Moodle if this is their idea of security. I see they are at
version 1.9.3 BTW, maybe they fixed this. Any reason you are not
upgrading? Especially on widely used frameworks, updating to prevent known
hacks is _very_ important.
--
Rik
Oct 30 '08 #5

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

4
by: Kevin | last post by:
I am having problems in my php code. I am relatively new to php but I know some basics. This is the problem: when i try to echo some information that is typed into form back to the screen i...
7
by: Dan | last post by:
I was trying to troubleshoot a login page that doesn't work - it keeps saying the login/password is missing - when my tracing discovered this peculiar behavior. register_globals is off, so at...
9
by: lovinlazio9 | last post by:
I've just started messing around with PHP and believe it or not its extremely frustrating haha. Anyway, I wanted to make a simple input form that would display the info after submitting it... The...
3
by: Syswatch | last post by:
Hi out there... I am pretty new to javascript, and is looking for some help here. I have a problem, I need a small javascript, which checks if there is any text in my textarea, and if it is NOT...
2
by: pm1ccc | last post by:
Hi, I have written following code and not getting back values in the same form ( i have used phpself) <?php $Fname = $_POST; $Lname = $_POST; $gender = $_POST; $food = $_POST; $quote =...
2
by: captainyellowshirt | last post by:
Hi, I'm having a little trouble using a simple for to post information. Here is my form. <form action="testing.php" method="post" target="_blank"> <b>Your Code:</b><br /> <textarea...
10
by: sufian | last post by:
I am new to the world of PHP. Below is my simple PHP file "invite.php" with a form having an image send button (I have to use the image send button because it is the requirement, may be this is...
2
by: keeps21 | last post by:
I have a script that recieves an id number via the address bar when a link is clicked. ie . index.php?id=1 if the link was for the story whose ID is 1. My script checks if a user is logged in,...
32
by: Bill H | last post by:
I wouldn't consider myself a newbie to PHP since I have never written one line of code in it (am a perl guy myself), but part of a team I am working with is writing some php interfaces into a...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.