Support

The component Options in all of our software is handled in the standard Joomla! way. We provision an XML file and we are using Joomla!'s API to render the Options button. Clicking on that button calls a core Joomla! component called com_config. This is the component which is responsible for handling both the site's Global Configuration and third party components' configuration Options.

Unfortunately, the issue you have is with com_config, a core Joomla! component, not my code. I have no say on the inner workings of com_config and I can't help you with that. I am pretty sure that if you try more third party extensions you will see that you can save the configuration in neither of them. Can you please check that?

Well, I have an idea to help you. The error you get means that most likely you have a PHP fatal error when you try saving the configuration. Let's try diagnosing it. The idea is that a white page or a page with a 500 Internal Server Error is, in fact, either a .htaccess issue to a PHP fatal error in disguise.

First, let's see if it is a .htaccess issue. Try renaming the .htaccess file in your site's root to htaccess.bak If there is a .htaccess file in the site's administrator directory, try renaming it as well. If that solves the problem, the issue was with a directive in your .htaccess file. We'd like to recommend you to try removing directives from your .htaccess until you find the one which causes the problem.

If that doesn't help, the error you are receiving is in fact a PHP error in disguise. First, check your server's error logs (not the access logs) immediately after visiting the page which throws the error. There should be an exact description of the PHP fatal error which occurred, right before the log line you pasted earlier.

If there's no such thing, please log in to your site's back-end, go to Global Configuration, click on the Server tab and set the Error Reporting to Maximum (Joomla! 1.5) or Development (Joomla! 2.x and later). Try visiting the problem page again. You should see the error message.

If you still get a blank page, edit your configuration.php file and put the following code right after the final closing curly brace ( this is what a curly brace looks like --> } ) but before the closing PHP tag (it looks like ?> that is a question mark and a greater-than sign):

ini_set( 'display_errors', true );
error_reporting( E_ALL ); 

Try visiting the problem page again.

If you still get a white page, please remote the two lines from your configuration.php file. Edit the .htaccess file in your site's root. If you don't have a file named .htaccess create a new one. Beware that htaccess.txt is a DIFFERENT FILE and will NOT work! Add the following to the end of the file:

php_flag display_errors On
php_value error_reporting 32767

and retry loading the problem page.

If you still get a white page, remove the two lines from your .htaccess file. Now, create a file called php.ini with the following content:

display_errors=on
error_reporting=E_ALL

and upload it into your site's root and your site's administrator directory. Retry loading the problem page.

If you still get a white page, delete the php.ini files your created and post back here.

Please note that if you can not understand what the PHP error message means, just copy and paste it here verbatim so that we can take a look and point you to the right direction.

I couldn't see any php errors using the methods you described (I think because the error is occuring in the pop up box rather than on the page load.)

I wouldn't consider that the reason :) The popup is simply a big div with the semi-transparent gray area and an iframe which loads com_config inside it. You should be able to see the error messages.

I contacted the site host and was able to get an error log entry off the server by SSH connection:

This doesn't mean anything to me, but I'm hoping you'll know something more.

This actually means a lot to me! First, it tells us the culrpit: 

ModSecurity: Access denied with code 500 (phase 2)

Ask your host to disable the following mod_security rule for your site:

((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:space:]]+from|update.+set.+=)

This rule is throwing a false positive. Your server believes that trying to save the component's configuration is a SQL Injection attack:

[msg "Generic SQL injection protection"

It's not. The request is completely benign.

You're welcome :)

The rule in question is way too generic and will throw a lot of false positives. If you want to see what a good regex for SQL injections looks like you can see my 1Kb beast of a regular expression, used in Admin Tools Professional. So, you are removing something which may stop a simple SQL injection but will definitely block a lot of legitimate requests. At the same time you have a Joomla! plugin (Admin Tools Professional) which is more effective in stopping this kind of attacks with less false positives. There will be no net change in your Joomla! site's security.

Hi Jeremy,

You're welcome!

I understand why they wouldn't disable it. On a shared server every change in mod_security settings affects all sites on the server, not just yours. The whitelist is a good compromise. Good thinking on their part :)