Confused about saving html into database

Sortof a hybrid PHP mysql question, maybe…

I have a (codeigniter) project that saves html into a mysql database. Usually <pre>, <code> and <p>. Inserting and Updating the db worked fine locally. Once I moved the project to a GD hosted account I get a ‘406 Not Acceptable’ error when I attempt to update or insert content that includes opening or closing html brackets < >:

Not Acceptable

An appropriate representation of the requested resource /index.php/manage/addedit could not be found on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

If I removed the < and > from content being inserted/updated it works fine. I thought this was an encoding problem. I did find that my local database was set to utf8_unicode_ci whereas the GD live database was set to latin1_swedish_ci. I changed the live db charaset to utf8_unicode_ci but same problem.

What other checks should I make to successfully update/insert html brackets ( < > ) into the db?

Sounds like a security thing to prevent having script tags in the database.

Can you change them to entities instead?

Sounds like the web host has gone overboard with security measures and is blocking perfectly valid code in order to plug a security hole elsewhere.

Are you keeping the data separate from the SQL by using bind for the SQL? If not then you might try rewriting the code that way and see if that helps. The < and > could potentially be misinterpreted if you have the data and sql jumbled together in a query and have a misplaced ’ or "

If the data is actually supposed to be HTML then converting those characters to entities would break the data and prevent it being able to be used properly when it is retrieved from the database so you don’t want to do that unless you can’t avoid it.

Other alternatives if it is caused by an incorrect security setting by the web host is to either convince them to fix the setting or to move to a better web host.

Thanks all for replying.

GD said it’s related to the Mod_Security setting. Feels like my only option is to add the data manually in phpMyAdmin :frowning:

I’ve never hit such limitation before with them… but it’s so cheap I’ll prob go the manual route till I can’t take it anymore…

Yes. I’m using CI’s Active Records. Even wrapping the code in htmlentities() did nothing…

Wait a minute… I just tried my search form. At random I searched for ‘varchar’ and I got the same error.

Wondering if this was GD going overboard with security I tried some other sql keywords like drop, update, execute, etc. and all were OK.

Any idea why ‘varchar’ would give me the same 406?