I'm using a PHP code to insert content to MySQL database.
I use tinyMCE editor for content editing.
The problem is, when I use some HTML tags in content, server sends me 403 - Forbidden But if I get rid of HTML tags; I can insert my content, read it, edit it, delete it without any problem.
What can I do?
I've tried changing characters like "<", ">", "=" etc to some other things like "aaaaa", "bbbbbbb" with str_replace. It works on local. It writes data to database like this and converts easily while reading.
I've tried base64_encode and decode too. This also worked on local.
But in server, none of them worked. So I thought the problem is not about inserting. It's about posting. Becaue I can't even echo my sql query or post value. As soon as I click submit, I see 403.
What do you suggest?
I've heard somebody saying
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
but it's not secure. If I add this lines to my htaccess, everything works fine.
Do you think I can modify this code for more security, or do I have to do something with my PHP script?
So you've asked about my PHP code. Here it is:
if(isset($_POST['add']))
{
//Diğer parametreleri de al:
$_POST['icerik'] = mysqli_real_escape_string($myDatabaseLink, $_POST['icerik']);
//SQL sorgusunu hazırla:
$sorgu =sprintf("INSERT INTO table VALUES('%s')", $_POST['icerik']);
echo $_POST['icerik']; //Can't even reach here while posting HTML (otherwise no problem)
echo $sorgu;
exit;
}
And the form layout. They both on the same page BTW:
<form action="#" method="post" name="blabla">
<table>
<tr>
<td>İçerik:</td>
<td><textarea name="icerik" id="editor1" class="ckeditor" rows="10" cols="80"></textarea></td>
</tr>
<tr>
<td> </td>
<td><input type="submit" name="add" value="Yazı Ekle"></td>
</tr>
</table>
</form>
