403 Forbidden when passing URL in GET variable


I am having a problem like this:<br /><a href="https://stackoverflow.com/questions/1089744/403-forbidden-on-php-page-called-with-url-encoded-in-a-get-parameter" rel="nofollow">403 Forbidden on PHP page called with url encoded in a $_GET parameter</a>

I am getting "403 forbidden" error When i pass a url as a GET variable like this

<pre class="lang-none prettyprint-override">http://script/test.php?url=https://stackoverflow.com/questions/ask

But this is ok.

<pre class="lang-none prettyprint-override">http://script/test.php?url=stackoverflow.com/questions/ask

And even if i urlencode the url it still gives me a 403.


Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/ Server at ----- Port 80


And I don't think this server has mod_security enabled, Because when I add SecFilterEngine Off in htaccess I get "500 Internal Server Error".

Code snippet:

$URL = mysql_real_escape_string($_GET['url']); mysql_query("INSERT INTO `url` ...");

So the question is, can I fix this without editing httpd.conf, because I don't have root privilege. Thanks


Do you have access to the apache error log itself? If this is a cPanel system and you have shell access, try viewing the log /usr/local/apache/logs/error_log - mod_security errors will appear there. Otherwise, you can look inside your control panel to see if it picks up any error messages.

Even if mod_security is installed, you can still get a 500 error after putting SecFilterEngine in .htaccess if the keyword isn't allowed.

I recommend contacting your web host to determine whether mod_security is the cause. If it is, you can ask them to create an exception. (I work for a web hosting company, and we're almost always happy to make mod_security exceptions for reasonable applications)

If it's caused by mod_security and your web host won't create an exception, you either need to change hosting companies or find a different way to pass the url (base64 encoding might work for you)


For me the solution to this issue was by getting my host (hostgator) to create an exception for mod_security on my site. mod_security's used for blacklisting certain types of operations, and it seems $_GET requests containing urls (<a href="http://www.etc" rel="nofollow">http://www.etc</a>) was one, for whatever reason. As stated by lunixbochs most hosts will be happy to sort it out for you.


  • Split string in c
  • How can I strip these (â?²s) type of characters with PHP?
  • Is it possible to install Apache mod_security Amazon Elastic Beanstalk
  • Mod_rewrite and URL redirection - APACHE,Mod_rewrite,PHP,Codeigniter
  • jQuery change event not firing in IE when releasing mouse outside of multiple select
  • Modal window instead alert
  • how to resolve the conflict between jquery UI and Jquery mobile
  • Create domain with matrices in Chapel
  • Clojure Regex: If string is a URL, return string
  • Apache POI JDK version
  • Why are the compilation errors when loading Scala build files?
  • Property Editor not registered with the PropertyEditorManager: error on custom tag invokation
  • code works at jsfiddle but not on my site [closed]
  • Backbone not defined with require js
  • How to open Theme editor in android studio
  • Allure Framework: using @Step and @Attachment annotations with TestNG and Maven
  • How to list all the bucket types in riak?
  • Insert Pandas dataframe into Cassandra Table
  • Help with mod_rewrite
  • Removing the .php file extension from the URL Request
  • How to get google-services.json from Developer console?
  • How to check disabled jobs with Jenkins server?
  • Why does IE8 fail to resolve my JQuery selector for a checked radio option?
  • Unicorn and Rails eat up 2x MySQL connections
  • How to protect an asp:textbox from user input?
  • What is the reason that Policy.getPolicy() is considered as it will retain a static reference to the
  • CORS with socket.io
  • Prevent Tomcat from caching request during starup
  • Access Android Market through SSH tunnel
  • htaccess add www if not subdomain, if subdomain remove www
  • How to run “Deployd” on port 80 instead of port 5000 in webserver.
  • Magento Fatal error: Maximum execution error solution, on WAMP
  • Can Jackson SerializationFeature be overridden per field or class?
  • Resize panoramic image to fixed size
  • Volusion's generic SQL folder, functionality
  • How do you join a server to an Active Directory (domain)?
  • coudnt use logback because of log4j
  • Java static initializers and reflection
  • Android Google Maps API OnLocationChanged only called once
  • UserPrincipal.Current returns apppool on IIS