Solved

Using DW with MySQL gets HTTP Error Code 500 Internal Server Error

Posted on 2008-10-24
5
792 Views
Last Modified: 2013-12-13
Some background information:

We have many sites running on PHP MySQL. All of a sudden, we started to get error 500 yesterday morning when we tried to update some records, not all of them. Our support managed to resolve it by whitelisting the domain.

PHP access the MySQL database local host, so I don't see that being anything related.

Problem:
I still get error 500 in DW when I try to test a Binding.

I can connect to the database. Be able to see the tables and items to create a record set. When I am in the record set dialog, I click the "Test" button try to see the data, immediately, I get the following error:

HTTP Error Code 500 Internal Server Error

Same error also occur if I use the DW wizard to create a dynamic table. DW can't read the field name.

I am using DW 8.0.2 but my business partner tried it on CS3 with the same problem.

We did recently implement some security script for PHP.

Thanks for any help to resolve this problem.
0
Comment
Question by:two-chez
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 39

Expert Comment

by:Roger Baklund
ID: 22799514
Error 500 is a general server error, it says nothing about the cause of the error. Inspect the Apache error log, you should find a more informative error message there.
0
 

Author Comment

by:two-chez
ID: 22804934
Many thanks for the pointer. Here is the error message I find:

[Sat Oct 25 13:40:00 2008] [error] [client 68.231.212.97] ModSecurity: Access denied with code 500 (phase 2). Pattern match "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\\*| |\\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\\*| |\\,]|UNION SELECT.*\\'.*\\'.*,[0-9].*INTO.*FROM)" at REQUEST_BODY. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "345"] [id "300013"] [rev "1"] [msg "Generic SQL injection protection"] [severity "CRITICAL"] [hostname "72.52.244.213"] [uri "/_mmServerScripts/MMHTTPDB.php"] [unique_id "SQOEIEg02cUAAG7jcX4AAAAH"]

So what does this mean? We do want to select and very likely update the tables. So is there something we can do in the ModSecurity configuration? Or should we even have it?

Thanks.
0
 
LVL 39

Accepted Solution

by:
Roger Baklund earned 125 total points
ID: 22805429
What it means? It's here: [msg "Generic SQL injection protection"]

You can of course do select and update in your database, this is a protection agains someone trying to update your database over the internet. That is not something you want.

I don't know ModSecurity, but it's a web application firewall, it's job is to prevent threats to your application. In this case it seems to have found a possible SQL statement in a request to a page:

[uri "/_mmServerScripts/MMHTTPDB.php"]

This is a Dreamweaver file, a connection script related to php/mysql code.

"The connection scripts are used by Dreamweaver to perform remote database connectivity when developing pages within Dreamweaver. These script files have no effect on your web pages during run-time (for example, when a visitor views your PHP pages via a web browser)."

http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_16515

See also:

http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_16566
0
 

Author Comment

by:two-chez
ID: 22805470
Yes, that file seems to have triggered the error. That is a generic Dreamweaver file, I am trying to get it added to the exclude.conf on the ModSecurity configuration. My hosting company just tried to whitelist my IP and I ended up not able to access anything. I suspect there is something wrong with our ModSecurity installation. It is doing the opposite of what we want it to do.
0
 

Author Closing Comment

by:two-chez
ID: 31509758
We needed up exlcuding the generic /_mmServerScripts/MMHTTPDB.php in the ModSecurity's exclude.conf and that did the trick. Thanks for the pointers.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question