I must be missing something stupid. Here's the script:

<?php
print_r($GET);
$sql = $
GET["sql"];
echo "<br>".phpversion()."<br>";
echo "$sql<br>";
?>

Here's the input

http://www.example.com/php/sel.php?sql=select+a+b+frog

Here's the response:

Array ( [sql] => select a b frog )
4.4.9
select a b frog

Change the input to (frog -> from):

http://www.example.com/php/sel.php?sql=select+a+b+from

Response is a 403:

Forbidden
You don't have permission to access /php/sel.php on this server.

Any thoughts?

    the 2 words
    'select from'
    triggers this error in query string
    but
    'selec from' and 'select fro' works!

    I do not understand. Very strange.

    Looks like there is some security, to avoid SQL commands in $_GET
    this is also forbidden 'insert into values'
    This can be some filtering inside one .htaccess or in the server configuration.

      Yes, I more or less concluded that both needed to be there. Your explanation sounds right - what I'm seeing looks like it must be a server generated error, and not from PHP. So I'm going to have to encode my SQL string somehow and then decode it in the PHP - not the end of the world.

        You can try to use POST form in your script.

        No, I just tested at your site.
        But now I am going to try at my own PHP 5.3.0

        and see what happens.

        EDIT.
        No problems at my own personal php server
        I can enter: "sql=select a b from"
        and there are no such errors

          Sounds a lot like you're using Apache with mod_security.

          Why on earth would you want to pass SQL queries via GET/POST methods anyhow?

            Well Brad in an ideal world I wouldn't, but I don't live in an ideal world, I live in Africa. My ISP here blocks the MySQL port, so I can't just log on and test a query, and repeatedly uploading files to the server is a pain because the speed here is so slooooow. My laptop where my local PHP installation is, is in in the repair shop... So I was just making a lash up to test a query when I noticed this feature.

            You have to be right, otherwise the forbidden message doesn't make any sense. I'll mark it as resolved.

              Write a Reply...