我从服务器得到一个错误,当我尝试做一个AJAX请求,我想不通。它是一个HTTP 406出错。据我了解,这意味着服务器无法发送的接受头部指示格式的响应。但是,从我所看到的,我是接受荷兰国际集团 * / * (通配符)。
I am getting an error from the server when I try to make an AJAX request that I cannot figure out. It is an HTTP 406 error. From what I understand this means that the server cannot send a response in the format that the Accept header indicates. But from what I can see, I am Accepting */* (wildcard).
您可以看到在这个图片我的HTTP请求的细节。 https://p.xsw88.cn/allimgs/daicuo/20230910/1326.png
You can see the details of my HTTP request in this image. https://p.xsw88.cn/allimgs/daicuo/20230910/1326.png
这是我的PHP code的页面:
This is my PHP code for the page:
<body>
<div id="container">
(snip - menu and header)
<div id="notify-saved">
<div class="width">
<span>Saved!</span>
</div>
</div>
<div id="confirm-delete">
<div id="confirm-delete-content" class="width">
</div>
</div>
<div id="nav-separator">
</div>
<div id="body" class="width">
<section id="content">
<br />
<form method="POST" id='template-form' action="post-actions.php" >
<input type='hidden' name='id' value="15" />
<input type='text' name='name' value="default-scripting" placeholder='Name' />
<br />
<br />
<input type='checkbox' name='major' id="majorminor" />
<textarea name='value' style="width:100%;"><script src="http://ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.js"></script></textarea>
<br />
<br />
<button name='action' value="Update Template" id='update-button' >Update</button>
</form>
</section>
</div>
</div>
</body>
JavaScript的:
Javascript:
// Attach a submit handler to the form
$( "#update-button" ).click( function( event ) {
// Stop form from submitting normally
event.preventDefault();
// Get some values from elements on the page:
var $form = $('#template-form');
var template_id = $form.find( "input[name='id']" ).val();
var template_name = $form.find( "input[name='name']" ).val();
var template_value = $form.find( "textarea[name='value']" ).val();
var template_is_major = 'minor';
if( $( "input[name='major']" ).prop('checked') ){
template_is_major = "major";
}
var url = $form.attr( "action" );
// Send the data using post
var posting = $.post( url, { id: template_id, name: template_name, value: template_value, major: template_is_major, action: "Update Template" } );
// Show that the request has completed successfully
posting.done(function( data ) {
$('#notify-saved').slideDown(200).delay(500).slideUp(500);
});
});
另外相关的是,这个错误的只是发生在某些时候的,例如,如果提交的模板值
Also of relevance is the fact that this error only happens some of the time, for instance if the template-value submitted is
&放大器; LT;脚本src="http://ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.js"></script>
这时会出现一个错误,但如果领导&LT; 被省略,则没有任何错误:
then there will be an error, but if the leading < is omitted, then there is no error:
脚本src="http://ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.js"></script>
接收PHP看起来是这样的(后actions.php):
The receiving php looks like this (post-actions.php):
<?php
// ugly-@$$ anti-magicquotes hackk
if (get_magic_quotes_gpc()) {
$process = array(&$_GET, &$_REQUEST, &$_COOKIE, &$_REQUEST);
while (list($key, $val) = each($process)) {
foreach ($val as $k => $v) {
unset($process[$key][$k]);
if (is_array($v)) {
$process[$key][stripslashes($k)] = $v;
$process[] = &$process[$key][stripslashes($k)];
} else {
$process[$key][stripslashes($k)] = stripslashes($v);
}
}
}
unset($process);
}
require_once('database.php');
$dbo = new Database();
if( isset( $_REQUEST['action'] ) ){
switch( $_REQUEST['action'] ){
(snip - many irrelevant cases)
case "Update Template":
$dbo->UpdateTemplate( $_REQUEST[DB_TEMPLATES_ID], $_REQUEST[DB_TEMPLATES_NAME],
$_REQUEST[DB_TEMPLATES_VALUE], $_REQUEST[DB_TEMPLATES_MAJOR] );
break;
}
}
和数据库类:
<?php
require_once ("config.php");
require_once ("database-contract.php");
class Database {
protected $db;
protected $pdo;
function __construct(){
$this->db = new mysqli(DB_HOST, DB_USER, DB_PASS, DB_NAME);
if($this->db->connect_errno > 0){
die('Unable to connect to database [' . $this->db->connect_error . ']');
}
$this->pdo = new PDO('mysql:host='.DB_HOST.';dbname='.DB_NAME.';charset=utf8', DB_USER, DB_PASS );
$this->pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$this->pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
}
function __destruct(){
$this->db->close();
$this->pdo = null;
}
$query = 'INSERT INTO `'.DB_TEMPLATES.'` ( `'.DB_TEMPLATES_NAME.'` ) VALUES ( :name )';
$stmt = $this->pdo->prepare($query);
$stmt->bindValue(":name", $name, PDO::PARAM_INT);
$stmt->execute();
}
function updateTemplate($id, $name, $value, $major ){
if( $major == "major" ){ $major = 1; }
else{ $major = 0; }
$query = 'UPDATE `'.DB_TEMPLATES.'`
SET
`'.DB_TEMPLATES_NAME.'`=:name,
`'.DB_TEMPLATES_VALUE.'`=:value,
`'.DB_TEMPLATES_MAJOR.'`=:major
WHERE
`'.DB_TEMPLATES_ID.'`=:id';
$stmt = $this->pdo->prepare($query);
$stmt->bindValue(":name", $name, PDO::PARAM_STR );
$stmt->bindValue(":value", $value, PDO::PARAM_STR );
$stmt->bindValue(":major", $major, PDO::PARAM_INT );
$stmt->bindValue(":id", $id, PDO::PARAM_INT );
$stmt->execute();
}
$query = ' DELETE FROM '.DB_TEMPLATES.'
WHERE
'.DB_TEMPLATES_ID.'=:id';
$stmt = $this->pdo->prepare($query);
$stmt->bindValue(":id", $id, PDO::PARAM_INT);
$stmt->execute();
}
(snip - irrelevant functions)
}
在前进的道路上的某些点,我认为这可能是一个字符编码的问题,但我不认为任何更多。也许这是一些奇怪的字符转义的问题?这里的其他职位似乎阿帕奇mod_security的,所以,以表明它是一个配置问题/(功能?)。我试图禁用了一些不同的东西,但没有工作,现在我只是在亏损,作为该怎么想。
At certain points along the way, I had thought this may have been a character encoding issue, but I don't think that any more. Perhaps it is some odd character escaping issue? Other posts here on SO seem to indicate it is a configuration issue / (feature?) of apache's mod_security. I tried disabling a few different things but that did not work, and now I am just at a loss as for what to think.
感谢您的帮助。
推荐答案
你有一个406,也是事实,这是基于在presence的&LT的事实; 字之前的剧本的,直接导致在行动安全过滤器。因此,的mod_security 和阿帕奇配置文件会比JS / PHP code更有助于找到根阻止规则。
The fact that you have a 406, and also the fact that this is based on the presence of the < before the word script, leads directly to a security filter in action. So mod_security and apache configuration files would be more useful than the js/php code to find the root blocking rule.
这看起来像一个反XSS过滤器。也许一个非常简单的,如:
This looks like an anti-xss filter. Maybe a very simple one like:
SecFilter "<( |n)*script"
如果你可以改变这个mod_security的配置,那么做......还是没有。这是关于安全的。也许你应该保留论文过滤器,以保护您的应用程序真的不需要的脚本注射。也许真正的解决办法是,您的正式申请表格应该不被的可疑的为mod_security的管理与服务器进行通信。在这里,您的帖子实在是太像一个跨站点脚本攻击的工具,它只是读取数据流,并检测一个javascript调用中。
If you can alter this mod_security configuration, then do that... or don't. It's about security. Maybe you should keep theses filter in place to protect your application for really unwanted script injections. Maybe the real solution is that your official application forms should manage communications with the server without being suspicious for mod_security. And here your POST is too much like a Cross Site Scripting attack for a tool which is only reading the stream and detect a javascript call inside.
例如,你可以添加一个base64编码上张贴的值(从JS)和C在PHP端的结果去$ C $,一些base64编码的js库可在github上。
You could for example add a base64 encoding on the POSTed value (from the js) and decode the result on the PHP side, some base64 encoding js libraries are available on github.
您其实可以适用于你的数据呈现该数据的HTML自由(和Javascript免费)任何转换,至少对于HTTP过滤工具。而Base64的通常是解决方案,但检查如何使用图书馆管理的UTF-8字符编码,该的真正的的base64是ASCII而已。
You could in fact apply any transformation on your data that render this data HTML-free (and Javascript-free), at least for the HTTP filtering tools. And Base64 is usually the solution, but check how the used library manage encoding of utf-8 characters, the real base64 was ascii only.
相关推荐
最新文章