I have some problem with phpids and Farsi joomla ( http://joomfa.org)
when I add some news from joomla administrator panel and save it , the phpids detect this as an attack and it match with 5 rule !
I think because of Farsi language there is some problem with UTF-8 and phpids

Any Idea ?

Finally I found what is the cause of problem that I said above !!
When I save a news in joomla editor and use alignment for it ,the editor add this Tag to it :
<div style="text-align: left;">sometext</div>

I check this Tag with phpids demo page and it match with 4 rule !!!!!!

plz help me about this .

Not when HTML mode is enabled for this field:

http://demo.phpids.org/?html=1&test=%3Cdiv%20style=%22text-align:%20left;%22%3Esometext%3C/div%3E

Thanks for your answer Mario,
So how can I enable HTML mode for this field ?
Is there any additional configuration in phpids config file for handle this ?

Yep - check the confg.ini for an example entry (https://trac.phpids.org/index.fcgi/browser/trunk/lib/IDS/Config/Config.ini#L19) with html-check enabled.

I can't find html-check in config.ini file,do mean html[] ?
would u please give me a clear explanation on that with an example of my case with "<div style="text-align: left;">sometext</div> "
Thanks

If the field is for example called $_POST['content'] you just add html[] = 'content'.

According to phpids log,the variables that match with phpids rules are :

REQUEST.FullText=<div style="text-align: left;">sometext</div>
POST.FullText=<div style="text-align: left;">sometext</div>

As u said I add this line to config.ini :
html[] = 'FullText'

But still have the same problem !! :(

what about:

html[] = 'REQUEST.FullText'
html[] = 'POST.FullText'


:)

Greetings,
.mario

I test with

html[] = 'REQUEST.FullText'
html[] = 'POST.FullText'

still same problem,but I put these into excepetions :

exceptions[] = REQUEST.FullText
exceptions[] = POST.FullText

and it's ok now !! any idea ?

Ah okay - then my mistake copy&pasting the quotes.

I'm sorry but I didn't get u in above comment !! what do u mean ?

I also find another problem with phpids and my website.
I have REQUEST.__utmz match with phpid rule in log ,
how could I handle this one ?!

Dear Mario

I still have the old problem unless I put these in exception[] :
exceptions[] = REQUEST.FullText
exceptions[] = POST.FullText

I afraid if put these in exception lead to some other problems !
please tell me how to handle this problem with html[] section!

Hi!

Sorry for the delayed answers - I am not in office this week and can only check for requests low-frequently.

So - basically you only need to exclude the __utmz stuff if your site uses Google Analytics and generates false alerts with the used variables.

If you add REQUEST.FullText and POST.FullText to the html[] array like you did with that variables to exceptions[] you still get alerts? Can you please post the exact string again? The demo link I sent you kind of proves that the string you submitted won't trigger an alert with the latest PHPIDS release.

Greetings,
.mario