I must be missing something stupid. Here's the script:

<?php
print_r($GET);
$sql = $GET["sql"];
echo "<br>".phpversion()."<br>";
echo "$sql<br>";
?>

Here's the input

http://www.example.com/php/sel.php?sql=select+a+b+frog

Here's the response:

Array ( [sql] => select a b frog )
4.4.9
select a b frog

Change the input to (frog -> from):

http://www.example.com/php/sel.php?sql=select+a+b+from

Response is a 403:

Forbidden
You don't have permission to access /php/sel.php on this server.

Any thoughts?

the 2 words
'select from'
triggers this error in query string
but
'selec from' and 'select fro' works!

I do not understand. Very strange.

Looks like there is some security, to avoid SQL commands in $_GET
this is also forbidden 'insert into values'
This can be some filtering inside one .htaccess or in the server configuration.

Yes, I more or less concluded that both needed to be there. Your explanation sounds right - what I'm seeing looks like it must be a server generated error, and not from PHP. So I'm going to have to encode my SQL string somehow and then decode it in the PHP - not the end of the world.

Did you test on PHP5?

Seems to behave the same with POST.

Sounds a lot like you're using Apache with mod_security.

Why on earth would you want to pass SQL queries via GET/POST methods anyhow?

Well Brad in an ideal world I wouldn't, but I don't live in an ideal world, I live in Africa. My ISP here blocks the MySQL port, so I can't just log on and test a query, and repeatedly uploading files to the server is a pain because the speed here is so slooooow. My laptop where my local PHP installation is, is in in the repair shop... So I was just making a lash up to test a query when I noticed this feature.

You have to be right, otherwise the forbidden message doesn't make any sense. I'll mark it as resolved.