Background -

背景 -

I have my website code hosted on a linux server. My website allows new registrations for employers (http://www.gymandspajobs.com/Employer/Employer.php). The filled-up forms are verified by JavaScripts in the folder "/javascript" and if the information is found ok, the data is submitted via JavaScript HTTP request object and the PHP file "somefile.php" kept in the folder "/somefolder" under the root directory does the database inserts.

我的网站代码托管在 linux 服务器上。我的网站允许雇主进行新的注册 ( http://www.gymandspajobs.com/Employer/Employer.php)。填写好的表格在“ /javascript”文件夹中通过JavaScripts验证，如果信息正常，则通过JavaScript HTTP请求对象和保存在“ /somefolder”文件夹中的PHP文件“ somefile.php”提交数据在根目录下进行数据库插入。

Problem -

问题 -

When a new user tried to register using Firefox (I tested in WinXP SP2, Firefox - v3.5.2), the HTTP response I used to get (which I tapped in my JavaScript file) was "You don't have permission to access /somefolder/somefile.php on this server." .

当新用户尝试使用 Firefox 注册时（我在 WinXP SP2、Firefox - v3.5.2 中进行了测试），我曾经获得的 HTTP 响应（我在 JavaScript 文件中点击了该响应）是“您无权访问 /此服务器上的 somefolder/somefile.php。”。

Surprisingly, the same functionality worked perfectly well in IE7 and Chrome.

令人惊讶的是，相同的功能在 IE7 和 Chrome 中运行良好。

Latest Update on the Problem -

问题的最新更新 -

I contacted my web hosting guys and my problem seems to have been solved after I received this reply from them.

我联系了我的网络托管人员，在收到他们的回复后，我的问题似乎已经解决。

We have disabled mod_security for your domain to fix it. We have entered the below lines to the .htaccess file under the httpdocs directory for your domain. We have also verified and successfully able to submit the Employer registration without any issues. ~~~~~ SecFilterEngine off ~~~~~

我们已为您的域禁用 mod_security 以修复它。我们已在您的域的 httpdocs 目录下的 .htaccess 文件中输入以下行。我们还验证并成功提交了雇主注册，没有任何问题。~~~~~ SecFilterEngine 关闭~~~~~

Though the problem has got solved, I think making "SecFilterEngine off" may not be the best solution to this problem as it compromises security. Hence I asked the hosting guys if there is a way to keep mod_security ON and yet get my functionality to work...... here is their reply.....

虽然问题已经解决了，但我认为制作“ SecFilterEngine off”可能不是解决这个问题的最佳方法，因为它会损害安全性。因此，我问托管人员是否有办法保持 mod_security 开启，同时让我的功能正常工作......这是他们的回复......

Q. is there any way my code can work yet keeping mod_security ON?

Ans. It is possible. But it is not easy. You have to modify the code in the file in such a way that the URI should not have the pattern "!(^application/x-www-form-urlencoded$|^multipart/form-data;)" because we found this entry in the apache error logs -

mod_security-action: 403

mod_security-message: Access denied with code 403. Pattern match "!(^application/x-www-form-urlencoded$|^multipart/form-data;)" at HEADER("Content-Type")

问：有什么方法可以让我的代码工作同时保持 mod_security 开启？

答。有可能的。但这并不容易。您必须以这样一种方式修改文件中的代码，即 URI 不应包含模式“ !(^application/x-www-form-urlencoded$|^multipart/form-data;)”，因为我们在 apache 错误日志中发现了此条目 -

mod_security-action：403

mod_security-message：访问被拒绝，代码为 403。模式匹配“ !(^application/x-www-form-urlencoded$|^multipart/form-data;)”在 HEADER("Content-Type")

I am using the HTTP object and POST method via JavaScript as -

我通过 JavaScript 使用 HTTP 对象和 POST 方法作为 -

http.setRequestHeader('Content-Type','application/x-www-form-urlencoded')

Please guide me as to what changes do I need to do in the above line of code so that mod_security can be kept ON and yet my registration form will work?

请指导我在上面的代码行中需要做哪些更改，以便 mod_security 可以保持打开状态，但我的注册表单可以使用？

Thanks and Regards,

感谢致敬，

-Rupak Kharvandikar-

-鲁帕克·哈万迪卡尔-