HallMarc Websites wrote: >> I'm trying to debug an issue which I think is more to do with Apache than >> PHP, but perhaps someone else has experience with this. Using opensuse >> 11.4, custom compile of kernel 2.6.38, custom compile of Apache httpd >> 2.2.17, and PHP 3.3.6. phpinfo() page works correctly so my httpd.conf is >> configured to deal with PHP. >> >> Using a plain .php file which contains a form with only a submit button, > at first >> the browser loads the .php correctly. Then click submit in the form, and > the >> browser asks me if I want to open or download and save locally the .php > file I >> have requested. This is disturbing since it is potentially a security > issue. >> >> 1. This only happens with method=POST. method=GET works correctly. >> 2. Using the same form as an .html file, same failure, so it is not > directly >> connected to PHP. I have posted an issue with Apache (50978) but no >> response yet. > > Can you post a link; if not: > Can you show the contents of the php file being downloaded or at least the > first and last 15 lines? > Not sure why the method would make the diff yet here we are. You could > check the variables_order string in your php.ini file. > And have you tried adding > enctype="multipart/form-data" or > enctype="application/x-www-form-urlencoded" (more suited for GET) > to the FORM tag ie <FORM id="formID" action="some_action.php" > method="POST" enctype="multipart/form-data"> > > The reason I asked the last part is because you stated that it works fine > if you pass via GET and not when you use POST and because they are both > encoded differently and it could be that the server isn't set correctly to > decode $_POST data and so does the download instead. > > More details about how you are collecting the form data and how the data > is then processed would be helpful. > Thanks for your interest. Here is my complete test php file: <?php echo "crash test<br />"; $cont = "<form action='".$_SERVER['PHP_SELF']."' method='POST'> <input type='submit' name='button' value='submit' /> </form>"; echo $cont; echo "ended<br />"; ?> Running this file produces the form correctly at first. Then click submit and the response of the server is to send the next page as text. In the background a child process dies. I guess this severs the link to the php handler. If httpd is run with -X to generate a single process, this process dies and the server stops, with no effort to serve up a file of any kind. If I take the above file and convert to regular html, same behaviour. This is why I say it has little to do with PHP. However if used in connection with php it can result in some nasty security implications. I did try adding enctype, but this did not help. I think this is because the process is killed very early in dealing with the post method and never gets to formulating something to send back. I did get a backtrace from gdb, and this is posted on the issues.apache.org website. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
