I have a non complicated issue......that seems to be more complicated than it should be.
I have a simple form that is used to add content to a website. Some of the fields need to have html inputted into them. However, when you input certain html elements into the different parts of the form, it decides that it hates you and throws a forbidden 403 error. Here is the form below:
<?php
$data = f("SELECT * FROM table WHERE id = '{$_GET['id']}'");
?>
<form action="<?=$_SERVER['PHP_SELF']?>?id=<?=$_GET['id']?>&action=edit" method="post">
<table cellspacing="0" cellpadding="2" border="0">
<tr>
<td><b>Title:</b></td>
<td><input type="text" name="title" style="width: 300px;" value="<?=$data['title']?>" /></td>
</tr>
<tr>
<td><b>URL:</b></td>
<td><input type="text" name="url" style="width: 300px;" value="<?=$data['url']?>" /></td>
</tr>
<tr>
<td><b>Sub-Category:</b></td>
<td>
<select name="subCategoryId">
<option value=""></option>
<option value="1">A</option>
<option value="2">B</option>
</select>
</td>
</tr>
<tr>
<td><b>Short Description:</b></td>
<td><textarea name="shortDescription" rows="6" cols="60"><?=$data['shortDescription']?></textarea></td>
</tr>
<tr>
<td><b>Template:</b></td>
<td><textarea name="template" rows="6" cols="60"><?=$data['template']?></textarea></td>
</tr>
<tr>
<td><b>Ads:</b></td>
<td><textarea name="ads" rows="6" cols="60"><?=$data['ads']?></textarea></td>
</tr>
<tr>
<td><b>Keywords:</b></td>
<td><textarea name="keywords" rows="6" cols="60"><?=$data['keywords']?></textarea></td>
</tr>
<tr>
<td><b>Questions:</b></td>
<td><textarea name="questions" rows="6" cols="60"><?=$data['questions']?></textarea></td>
</tr>
<tr>
<td><b>Salary:</b></td>
<td><textarea name="salary" rows="6" cols="60"><?=$data['salary']?></textarea></td>
</tr>
<tr>
<td><b>Jobs:</b></td>
<td><textarea name="jobs" rows="6" cols="60"><?=$data['jobs']?></textarea></td>
</tr>
<tr>
<td><b>Meta Description:</b></td>
<td><input type="text" name="metaDescription" style="width: 300px;" value="<?=$data['metaDescription']?>" /></td>
</tr>
<tr>
<td><b>Meta Keywords:</b></td>
<td><input type="text" name="metaKeywords" style="width: 300px;" value="<?=$data['metaKeywords']?>" /></td>
</tr>
<tr>
<td> </td>
<td><input type="submit" name="submit" value="Edit Job" /></td>
</tr>
</table>
</form>
I have other forms that follow this same pattern without any trouble. To further make this even more confusing, it will only throw this error when any 2 html elements are supplied in the text area (it handles one html element just fine). The text areas are ads, keywords, salaries, and jobs. The other text areas will take it just fine, but these 4 won't. If I can make this one more bit confusing, if I simple enter in text in those fields and save it, it runs without a problem.
To handle the post data, I only use mysql_real_escape_string() to handle the data, I don't do a strip_tags() as I need the html in there.
Is this a weird apache error that can be fixed with .htaccess? Is there a module in PHP that is conflicting with this?
-------EDIT HERE IS THE ANSWER--------
Ben brought up a fantastic answer that is probably the problem and I cannot fix it because of a lack of privileges. So I created an onsubmit event from an idea that Gerben gave me and wrote the following javascript.
function awesome() {
elements = document.forms[0].elements;
for(var i = 0; i < elements.length; i++) {
switch(elements[i].name) {
case "ads":
case "shortDescription":
case "template":
case "questions":
case "salary":
case "jobs":
str = elements[i].value;
elements[i].value = str.replace(/</g,"#@!");
break;
}
}
return true;
}
Then on the receiving end, I did a str_replace to replace #@! back to a < and that at least made the thing work.
I'm on a horse....hyaa!
Thanks for all your help. :)
<?=htmlentities($data['xxxx'])?>– Misbegotten