I have been pulling my hair out over this problem.

I have a method=POST form which in some cases which returns a 403 Forbidden error, apparently never executing the php script to process the form. The very wierd thing is that the problem is data-dependent ... for instance, if my field called "spouse" is filled with "Cindy" it returns the 403. If I change that to "mindy" it works fine... huh ?!?!?!

I have put code in the php script to trace to a file as soon as it starts up, which never happens in the instances when I get the 403 return. So I would surmise this is happening in the server's processing of the POST request before the script is called.

Does anybody have ANY ideas? I don't have much hair left!

Thanks.

Possibly mod_security, don't know why though.. hmm look through your error_log, or mod_security logs.

I'm not sure if this helps but there's an .htaccess parameter that can be set to allow or disallow Post operations. I would start by setting it to allow all.

In your .htaccess file, it is possible that you might have the following:


<Limit GET POST>
order deny,allow
deny from all
</limit>


or something similar. If you wish to allow GET and POST from anyone, you can simply remove this block from your file.

Are you sure you're script can write to the file/dir you setup to log to. In all your hair pulling out you may have over looked the file system permissions. An error in the script would make a lot more since given that its seemingly related to input data.

No, it's not htaccess disallowing POSTs, becuase the problem is intermittent and data-dependent. No, it's not file permissions, because writing to my log works fine most of the time.

I did a lot more scenario testing and I may have stumbled onto the problem and solved it. It seemed that the 403 came and went based on the content of the form text input field called "spouse". If the data in the field began with a "C", then it got the 403. Pretty wierd.

So I tried simply changing the field name from "spouse" to "mate", and Voila! it now seems to work!

The first reply to my post above mentioned mod_security. I am on a shared host, so I don't know much about mod_security, but I think it is administered with a set of "rules". And how well or badly those rules are set up is at the whim of the "experts" (or less) tinkering away at my shared hosting provider. Would/could there be a rule that somehow causes a 403 return if it perhaps encounters "use=C" in an incoming POST request?

Is there any way to view what mod-security rules are in play on a shared hosting server? They use CPanel and Apache.