I get an internal server error with the following code... any suggestions:
<form name="user" action="this.php" method="post"> <input type="text" name="description" id="description" value="" /> <input type="submit" name="" id="" value="Edit Page" /> </form>
There is no other code on the page, and it self submits fine UNLESS I place a MySQL query inside the text field, such as SELECT s FROM d WHERE 1=1
Then I get the following error:<blockquote>
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, firstname.lastname@example.org and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</blockquote>
I do have some .htaccess rules going on, but I don't know how that would effect a query that doesn't do anything or go anywhere...Answer1:
Seems to be rule of the evil <strong>mod_security</strong>. Are you on shared hosting? Generally you can disable all the module or specific rules via <em>.htaccess</em> file.Answer2:
The first place to look is your webserver log files.
The second place to look is <a href="https://stackoverflow.com/questions/60174/best-way-to-stop-sql-injection-in-php" rel="nofollow">How can I prevent SQL injection in PHP?</a> as I'd guess you are just stuffing whatever the user hands you into the SQL server without any sanitizing.Answer3:
Before execute, dump the content of $_POST;
In development enviorment, it's good to enable error displaying:
Or in php.ini:
display_errors = On;Answer4:
With the limited information provided, what it sounds like is that you are sending a malformed sql query somehow, and you aren't catching the error returned by the mysql server. You need to look at what you are sending, and handle mysql errors.