SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Zealot
    Join Date
    Aug 2010
    Posts
    193
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)

    confused about saving html into database

    Sortof a hybrid PHP mysql question, maybe..

    I have a (codeigniter) project that saves html into a mysql database. Usually <pre>, <code> and <p>. Inserting and Updating the db worked fine locally. Once I moved the project to a GD hosted account I get a '406 Not Acceptable' error when I attempt to update or insert content that includes opening or closing html brackets < >:

    ----------------------------------------------------

    Not Acceptable

    An appropriate representation of the requested resource /index.php/manage/addedit could not be found on this server.

    Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

    ----------------------------------------------------

    If I removed the < and > from content being inserted/updated it works fine. I thought this was an encoding problem. I did find that my local database was set to utf8_unicode_ci whereas the GD live database was set to latin1_swedish_ci. I changed the live db charaset to utf8_unicode_ci but same problem.

    What other checks should I make to successfully update/insert html brackets ( < > ) into the db?

  2. #2
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,141
    Mentioned
    190 Post(s)
    Tagged
    2 Thread(s)
    Sounds like a security thing to prevent having script tags in the database.

    Can you change them to entities instead?

  3. #3
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,803
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Sounds like the web host has gone overboard with security measures and is blocking perfectly valid code in order to plug a security hole elsewhere.

    Are you keeping the data separate from the SQL by using bind for the SQL? If not then you might try rewriting the code that way and see if that helps. The < and > could potentially be misinterpreted if you have the data and sql jumbled together in a query and have a misplaced ' or "

    If the data is actually supposed to be HTML then converting those characters to entities would break the data and prevent it being able to be used properly when it is retrieved from the database so you don't want to do that unless you can't avoid it.

    Other alternatives if it is caused by an incorrect security setting by the web host is to either convince them to fix the setting or to move to a better web host.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  4. #4
    SitePoint Zealot
    Join Date
    Aug 2010
    Posts
    193
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Thanks all for replying.

    GD said it's related to the Mod_Security setting. Feels like my only option is to add the data manually in phpMyAdmin

    I've never hit such limitation before with them... but it's so cheap I'll prob go the manual route till I can't take it anymore..

  5. #5
    SitePoint Zealot
    Join Date
    Aug 2010
    Posts
    193
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by felgall View Post
    Are you keeping the data separate from the SQL by using bind for the SQL?
    Yes. I'm using CI's Active Records. Even wrapping the code in htmlentities() did nothing....

  6. #6
    SitePoint Zealot
    Join Date
    Aug 2010
    Posts
    193
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Wait a minute... I just tried my search form. At random I searched for 'varchar' and I got the same error.

    Wondering if this was GD going overboard with security I tried some other sql keywords like drop, update, execute, etc. and all were OK.

    Any idea why 'varchar' would give me the same 406?


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •