Hi @gleanweb,
This may be due to how they are being called.
Can you show me an example request to one of your scripts?
For example: http://example.com/your_script.php?any_query=<runtime>something</runtime>
I suspect there are query variables within the URL or in the POST body that is triggering the 403 by Wordfence.
If you can show me how these scripts are being called, we can try to whitelist these actions.
Dave
Hi Dave,
Thanks for the note. The $_POST array looks like this:
Array
(
[title] => All sites +Site stats+
[sqlquery] => select farm, contact1, phone1, address, city, state, zip from sites order by farm
[list] => Show this report
[terms] =>
[querynum] => 3
)
@gleanweb
I have systematically gone through the POSTed inputs and found that what triggers the Wordfence block in the $_POST array is:
[sqlquery] => select farm, contact1, phone1, address, city, state, zip from sites
Is this because of the name of the variable?
Or does Wordfence recognize the string as an sql query and block it for that reason?
Or something else?
The whole point of the page is to write and save customized sql queries. The POSTed input is rigorously sanitized on the server and the page is password-protected.
Hi again!
Can you try whitelisting the sqlquery variable?
1. Go to Wordfence -> All Options
2. Scroll down until you see Whitelisted URLs
3. Put / for the URL
4. Select Param Type: POST Body for the dropdown
5. Put sqlquery for the Param Name
6. Click on Add
7. Click on Save Changes in the top right corner
For example: https://i.imgur.com/cKus1f0.png
* For (3) you can put the exact URL of the script, for example /my_script.php or /folder/my_script.php
Dave
Thanks, Dave. I added the script to the whitelist. The first time I then ran the script it again balked, but gave me the option on the 403 Forbidden page to whitelist it. I checked that box and it all seems to work now.
