Problem with ajax, error 403 (Forbidden) when processing queries


I have a textarea to which I write a query like: SELECT* FROM usuarios to process them in a php document and be able to extract the result of this query.

Everything goes well in this aspect, but whenever I use clauses, such as: LIMIT or WHERE, it sends me an error 403 (Forbidden) indicating the path of my .php file where I process the query.

Why is this happening? I was reading about it with similar problems but none helped me. I have my hosting in Godaddy and the information process with JQuery and Ajax. I will value any help in this regard. Thanks.


        <textarea class="form-control" rows="3" placeholder="Consulta SQL"></textarea>
    <button type="button" id="ejecutar-consulta" class="btn btn-default"><span class="glyphicon glyphicon-cog"></span> Ejecutar</button>


var dataContent;
(function() {
    $('body').on('click','#ejecutar-consulta', function() {
        $('.response-sql').html('<i style="font-size:17px;" class="fa fa-spinner fa-spin fa-3x fa-fw"></i> Ejecutando consulta...');
        var consulta = $('textarea').val().trim();
        if ( consulta.length > 0 ) {
            $.post('includes/herramientas/generador-reportes/controller.php',{key:'ejecutar-consulta',sql:consulta}, function(dataResponse) {
                dataContent = dataResponse;
            }).complete(function() {
        else {
            console.log('Error al procesar la solicitud.');


    $sql = $_POST['sql'];

    $DoQuery = $db->sql($sql);

    $GetColumns = mysqli_fetch_assoc($DoQuery);

    $headersTable = array_keys($GetColumns);

    while ( $f_informacion = mysqli_fetch_assoc($DoQuery) ) :
        $contentOne = array();
        for ( $i = 0; $i < count($headersTable); $i++ ) :
            $contentOne[] = utf8_encode($f_informacion[$headersTable[$i]]);             
        $contenidoSQL[] = $contentOne;
asked by Fernando Urban 27.02.2017 в 04:12

1 answer


A. Error 403

The 404 Forbidden error, which you are receiving, indicates that the web server believes that the HTTP data flow sent by the client was correct, but access to the resource identified by the URL is prohibited for some reason.

It is possible that your php file or the folder where it is located have access restrictions indicated in the .htaccess file or elsewhere.

B. But there is something much more serious: your code is totally vulnerable to SQL attacks (SQL injection)

Never send direct queries to your database, but never.

If you allow to send this to the database from an input box or text area:

SELECT * FROM usuarios

and a malicious user writes this:

SELECT * FROM usuarios; DELETE FROM tutabla; DELETE FROM tuotratabla

you send two or more queries to your DB that would be executed without any control ... only the second and third (in this case) would erase all data from any table indicated in the DELETE.

Or, more serious, an ill-intentioned user could obtain, through consultation, the access keys, or modify them.

Please read this on SQL Injection .

Solution a (B):

Always use prepared queries and for the connection to the DB use PDO or Mysqli .

answered by 27.02.2017 в 04:29