2

While doing a quick test to check against SQL injection (not exhaustive, just out of curiosity), I typed

'OR 1=1

into my search bar, and the server threw me a 406 HTTP error. I found it odd and thought it might be a SQL problem, but other cursory SQL-injection tests such as

'OR true

but the website reacted correctly and delimited the '. I feel at this point it's safe to say it's not a SQL issue, although just in case here is the php sanitizing code

$query = trim(str_replace(array('%', '_'), array('\\%', '\\_'), mysqli_real_escape_string($con, htmlspecialchars($query))));

According to a quick google search (source1, source2, source3), a 406 error is when the type of data returned does not match the HTTP request header. I find it odd that there is a type mismatch since other queries work just fine.. In fact

'OR 1 'OR 1=

both work fine (i.e. they are properly escaped). Regular search results i.e. nonmalicious ones also return properly. Any advice as to why this is happening? I am hosting using GoDaddy if that means anything.

Community
  • 1
  • 1
Jane Doe
  • 269
  • 3
  • 9
  • 2
    Why oh why oh why are you relying on that kind of ad-hoc sanitizing "logic", rather than eliminating the problem entirely by using prepared statements? – Oliver Charlesworth Feb 16 '14 at 01:30
  • Now that you mention it I should switch to prepared statements (sorry I am still learning web dev..); however I do not think that is causing the problem? – Jane Doe Feb 16 '14 at 01:38

3 Answers3

2

When mod_security is enabled, it throws a 406 error if it detects "obvious" SQL injections. Look at your logs, it must say something like:

ModSecurity: Access Denied with code 406 [...] [tag "WEB ATTACK/SQL INJECTION"]

mombul
  • 327
  • 1
  • 10
1

406 Not Acceptable
The requested resource is only capable of generating content not acceptable according to the Accept headers sent in the request.

Many webservers (or extensions to them) can detect & block potential SQL injection attacks. This has nothing to do with your PHP code.

Martin Tournoij
  • 26,737
  • 24
  • 105
  • 146
1

Actually, what 406 really means is:

  • The browser has asked for a particular kind of response format (for example "text/html") via an Accept header in the request.

  • The server is saying "I cannot give you the response in that format".

To diagnose this, you need to figure out what is being requested (e.g. using browser-size web developer tools), what part of your server code the request is going to (from careful examination the server logs?) and why it does not (cannot) send the requested response format.

UPDATE

It looks like there is a PHP-specific answer to this ... in which PHP is "co-opting" the 406 response code to mean something different from the meaning intended by the HTTP spec writers. See other answers. (But my advice on diagnosing this should lead you to that message in the log file.)

Stephen C
  • 698,415
  • 94
  • 811
  • 1,216