Topic: PHP warning for item in \include\functions.php

Last week I found 8 times the following PHP warning in the Apache log file (nothing changed in my server or PHP configuration):

PHP Warning:  htmlspecialchars(): Invalid multibyte sequence in argument in D:\\Programme\\Apache\\htdocs\\forum\\include\\functions.php on line 21,

....caused by 6 different clients from different countries (USA, China,  Czech Republic, however,  the logged IP's could be proxies or faked)

I just want to notify you about. Probably it is some unimportant warning, but may you want to know about it.

Re: PHP warning for item in \include\functions.php

Seems like this warning appears, if the script receives data in a non-UTF encoding. We'll try to fix it.

Please, provide us the following details: the URL and the kind of request (GET or POST).

3

Re: PHP warning for item in \include\functions.php

I have the same problem

4

Re: PHP warning for item in \include\functions.php

I had the same problem.

sample log

91.224.160.11 - - [16/Oct/2011:00:40:46 +0400] "GET /forum/new-reply90.html%09-%09200%094%09-%09%CA%EE%EC%EF%FC%FE%F2%E5%F0%FB%09-%09-%09-%09-%09-%09- HTTP/1.0" 404 480 "http://www.datarc.ru/forum/new-reply90.html%09-%09200%094%09-%09%CA%EE%EC%EF%FC%FE%F2%E5%F0%FB%09-%09-%09-%09-%09-%09-" "Mozilla/6.0 (compatible; MSIE 7.0a1; Windows NT 5.2; SV1)"

temporarily fixed this way, but do not think it is good way to patch functions.php directly:

function forum_htmlencode($str)
{
    $return = ($hook = get_hook('fn_forum_htmlencode_start')) ? eval($hook) : null;
    if ($return != null)
        return $return;

////    return htmlspecialchars($str, ENT_QUOTES, 'UTF-8');
    return htmlspecialchars(mb_convert_encoding($str, 'UTF-8', mb_detect_encoding($str)), ENT_QUOTES, 'UTF-8');
}

Re: PHP warning for item in \include\functions.php

Still having this problem, now happening quite often, e.g. always when Google bot visits special forum topics - but also if I open the URL with Firefox..

PHP Warning:  htmlspecialchars(): Invalid multibyte sequence in argument in \\htdocs\\forum\\include\\functions.php on line 21

66.249.72.87   12.11 21:15:34   811167   + GET /forum/viewtopic.php?id=347 HTTP/1.1  S:200 (200)   B:15580   R:crawl-.googlebot.com  L:-  H:Host=nc.ddns.us|Accept=*/*|From=googlebot(at)googlebot.com|User-Agent=Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)|Accept-Encoding=gzip,deflate

Will this ever be fixed? Is it to be considered as a security issue?

Thank you.

Re: PHP warning for item in \include\functions.php

Send me link in PM that cause error.

7 (edited by NettiCat 2011-11-17 13:11)

Re: PHP warning for item in \include\functions.php

Done (PM)

I tried the proposed fix from tohex,

    //return htmlspecialchars($str, ENT_QUOTES, 'UTF-8');
        return htmlspecialchars(mb_convert_encoding($str, 'UTF-8', mb_detect_encoding($str)), ENT_QUOTES, 'UTF-8');

but this produces:

PHP Warning:  mb_convert_encoding(): Illegal character encoding specified in ....\\include\\functions.php on line 22

Re: PHP warning for item in \include\functions.php

@dimkalinux
Did you receive my PM ?

Re: PHP warning for item in \include\functions.php

im answered.

I dont see any errors in page when visiting this page as guest.
If errors exists only in your logs file you need configure php that it show errors on page - its display_erros and error_reporting options in php.ini. Its nessesary. I need look when exactly - in post body, or header thrown this error.

Anyway you can disable errors adding @ before htmlspecialchars - @htmlspecialchars(

Re: PHP warning for item in \include\functions.php

I dont see any errors in page when visiting this page as guest.

You do not need to login to trigger this error. The error is never displayed on page, only in the server logs as PHP notice:
PHP Warning:  mb_convert_encoding(): Illegal character encoding specified in ....


Changed php.ini settings to:
display_errors = On
error_reporting = E_ALL | E_STRICT | E_NOTICE | E_DEPRECATED | E_PARSE
log_errors = On
...and restarted Server, but the error is NOT displayed on page, also tried clearing browser cache and restarting browser

Please note: The mentioned error is a PHP notice only, without E_NOTICE (e.g. error_reporting = E_ALL | E_STRICT) the problem is not even logged to server log! This might be the reason why it is not displayed on page.

Re: PHP warning for item in \include\functions.php

Just make that notice displayed on page.
I need known what exactly calling this functions. its not simple but its one way to found problem.

Or use @ for hidding notice.

Re: PHP warning for item in \include\functions.php

I already tried to make the notice displayed on page, but as mentioned in my previous post and while applying the settings you suggested, the notice is never displayed.

I certainly know how to hide error or notice messages, but I.M.O that's not the right way to solve coding issues - at least not as long you confirmed that it is a minor issue, not a security problem.

Re: PHP warning for item in \include\functions.php

try
error_reporting = E_ALL
and check logs - if error logged to logs it must be visible on page. Or look at page source code - it may be hidden in source.

Re: PHP warning for item in \include\functions.php

Yesterday I already tried this configuration,
I also looked at the source for hidden error messages,
and to be sure I saved and compared the pages (with and w/o error display) md5 check-sums,
they are always identical, nothing displayed.
Additionally tried to use error_prepend_string option to identify messages.

With error_reporting = E_ALL the issue is not even logged to Apache logfile!

As I mentioned in a previous topic, error_reporting = E_NOTICE is required to log the notice, but however this only logs the notice, but does not display it. Probably because display_errors will display errors and warnings only, but never notices.

Please read my previous posts more thoroughly, you always ask me for already provided information.

Re: PHP warning for item in \include\functions.php

Dont use mb_convert_encoding - revert to original variant htmlspecialchars.

16 (edited by NettiCat 2011-11-17 18:28)

Re: PHP warning for item in \include\functions.php

I do not use mb_convert_encoding !
I only tried this 5 days ago, but for a few minutes only.


BTW: Your forum log-in page features a hidden anti-spam input tag, just between the username input and the password input tags. This is a bad idea since it breaks Firefox password manager (won't remember or save log-in data).
Firefox recognizes the input above a password field as username field (even if hidden by CSS). Unfortunately this is the ant-spam honey-pot on your page which even has an autocomplete=off attribute. However, just removing this attribute won't fix the issue, you need to remove the whole input tag for the reason mentioned above. (tested and verified your source on on my own page)
I wonder why a password-protected page needs a honey-pot at all - especially the log-in page.

Re: PHP warning for item in \include\functions.php

You can disable honeypot in Fancy stop spam settings.

Re: PHP warning for item in \include\functions.php

I'm not using the "Fancy stop spam" extension. I developed my own anti-spam PunBB extension Yasb. Meanwhile I fixed a few more Yasb bugs and I'm very happy with it. I just see you posted your intention to adopt my idea - thanks!

The reason why I mentioned the "Fancy Stop Spam" honeypot annoyance was that my Firefox does not save log-in data on http://punbb.informer.com, thus I cannot disable the honey-pot option.


Ok, I will focus on the topic now:
What's your suggestion in order to trace or resolve the "Invalid multibyte sequence in argument " issue?

Re: PHP warning for item in \include\functions.php

Try to found in anyway line in viewtopic.php or other file that called forum_htmlencode() with non-unicode data.
Maybe this non-unicode data is saved in DB as post or username, title...

Re: PHP warning for item in \include\functions.php

You can use Xdebug extensions for PHP, but not on production server or hosting.

Re: PHP warning for item in \include\functions.php

You can add this code before htmlspecialchars() - it will exit and show error when got non-unicode strings. But use it ONLY for test and ONLY if you known how reproduce problem. Use it only once and remove.

if (preg_match('/^./us', $str) === FALSE) {
  die("BAD UNICODE: '$str'");
}

Re: PHP warning for item in \include\functions.php

Try to found in anyway line in viewtopic.php or other file that called forum_htmlencode() with non-unicode data.
Maybe this non-unicode data is saved in DB as post or username, title...

There are 462 occurrences of forum_htmlencode and even in viewtopic.php there are 21.

Sorry, I requested support here, but now it seems you ask me to do all your work ?

I'm certainly willing to help with some needed information, but I'm unable to spend time on investigating possibly the whole PunBB code.


Maybe this non-unicode data is saved in DB as post or username, title...

It certainly is, since it is available on page request. As you can see, a guest posted it in German language. And if you would just have tried to copy the first post of the topic to post it on your own PunBB board you should see the same issue.
That means the visible text contains the problem chars, it has nothing to do with any data stored in the database.


What about Parpalak? Isn't he no longer moderating this forum?