PHP / Apache错误：406不可接受

Question

So I received this error today, I've narrowed it down to this issue:

My site is my musician page here . It allows people to come in and see photos of me, news, my music and events I'm playing at.

Everything was going swell, I manually input data into MySQL to have it auto-feed to the home page. Now I'm adding the control panel so I can add, edit, delete things in the database from the web.

Everything works fine except for the ability to add/edit events. I've narrowed it down to the fact that I can't input 2 URLs or I get this error. I NEED to input 2 URLs (one to view the event page, one to buy tickets) but I can't input more than 1 at a time, is there anything I can do to correct or work around this error whether in apache or my code?

<?php
    $specevlink = "http://facebooklink.com";
    $specgigtick = "http://ticketplacelink.com";
?>
     <form method="post" action="index.php?page=editgigs">
         <table>
                <tr>
                     <td>
                          Event Page (Link):
                     </td>
                     <td style="text-align: left;">
                          <input type="url" name="giglink" value="<?php echo $specevlink; ?>" />
                     </td>
                </tr>
                <tr>
                     <td>
                          Event Tickets (Link):
                     </td>
                     <td style="text-align: left;">
                          <input type="url" name="gigtick" value="<?php echo $specgigtick; ?>" />
                     </td>
                </tr>
         </table><br />
         <input type="submit" name="editgig" value="submit" /><br />
         <br />
     </form>

EDIT:

I'm adding the full line of code so you can see exactly what I'm using,

Here's a pic of step 1 Here's a pic of step 2

This is included into an index.php file:

<?php
if(isset($_GET["page"])){
$page = $_GET["page"];
} else {
$page = "";
}

if($page === "editgigs"){
 include ('inc/logincheck.php');
?>
 <div class="label">
      EDIT GIGS
 </div><br />
 <div style="margin: 0 auto; text-align: center; width: 100%">
      <form method="post" action="index.php?page=editgigs">
<?php
      if(!isset($_POST['selectgigs'])){
           if(!isset($_POST['updgigs'])){
?>
                Select one of the options below:<br />
                <br />
                <select name="selgigs" style="max-width: 26%;">
<?php
                     while($gigsall_data = mysqli_fetch_array($gigsall_query)){
                          $gigid = stripslashes($gigsall_data['idgigs']);
                          $gigdate = stripslashes($gigsall_data['date']);
                          $gigname = stripslashes($gigsall_data['name']);
                          $gigdate = date('F j, Y', strtotime($gigdate));
?>
                          <option value="<?php echo $gigid; ?>">
                               <?php echo $gigdate; ?>: <?php echo $gigname; ?>
                          </option>
<?php
                     }
?>
                </select><br /><br />
                <input type="submit" name="selectgigs" value="Select" /><br />
                <br />
<?php
           }
      }
      if(isset($_POST['selectgigs'])){
           $gigtoed = trim($_POST['selgigs']);
           $specgig_query = mysqli_query($con, "SELECT * FROM `gigs` WHERE `idgigs` = '$gigtoed'") or die(mysqli_error($con));
           $specgig_data = mysqli_fetch_array($specgig_query);
           $specdate = stripslashes($specgig_data['date']);
           $specname = stripslashes($specgig_data['name']);
           $specevlink = stripslashes($specgig_data['evlink']);
           $specgigtick = stripslashes($specgig_data['ticklink']);
           $specnos = stripslashes($specgig_data['noshow']);
           if($specnos === '0'){
                $noshow = '';
           } else {
                $noshow = 'checked';
           }
?>
           <table style="border-spacing: 5px; padding: 10px;">
                <tr>
                     <td>
                          Past Event?:
                     </td>
                     <td style="text-align: left;">
                          <input type="checkbox" name="nos" <?php echo $noshow; ?> /> Past Event
                     </td>
                </tr>
                <tr>
                     <td>
                          Date:
                     </td>
                     <td style="text-align: left;">
                          <input type="date" name="gigdate" value="<?php echo $specdate; ?>" required />
                     </td>
                </tr>
                <tr>
                     <td>
                          Name:
                     </td>
                     <td style="text-align: left;">
                          <input type="text" name="gigname" value="<?php echo $specname; ?>" required />
                     </td>
                </tr>
                <tr>
                     <td>
                          Event Page (Link):
                     </td>
                     <td style="text-align: left; width: 350px;">
                          <input type="url" name="giglink" style="width: 100%;" value="<?php echo $specevlink; ?>" />
                     </td>
                </tr>
                <tr>
                     <td>
                          Event Tickets (Link):
                     </td>
                     <td style="text-align: left; width: 350px;">
                          <input type="url" name="gigtick" style="width: 100%;" value="<?php echo $specgigtick; ?>" />
                     </td>
                </tr>
           </table><br />
           <input type="hidden" name="gigid" value="<?php echo $gigtoed; ?>" />
           <input type="submit" name="updgigs" value="Update" /><br />
           <br />
<?php
      }
      if(isset($_POST['updgigs'])){
           $newid = trim($_POST['gigid']);
           $newdate = mysqli_real_escape_string($con, trim($_POST['gigdate']));
           $newname = mysqli_real_escape_string($con, trim($_POST['gigname']));
           $newlink = mysqli_real_escape_string($con, trim($_POST['giglink']));
           $newtick = mysqli_real_escape_string($con, trim($_POST['gigtick']));
           if(isset($_POST['nos'])){
                $newnoshow = mysqli_real_escape_string($con, '1');
           } else {
                $newnoshow = mysqli_real_escape_string($con, '0');
           }
           echo $newid.' '.$newdate.' '.$newname.' '.$newlink.' '.$newtick.' '.$newnoshow.'<br />';
           /*mysqli_query($con, "UPDATE `gigs` SET `date` = '$newdate', `name` = '$newname', `evlink` = '$newlink', `ticklink` = '$newtick', `noshow` = '$newnoshow' WHERE `idgigs` = '$newid' LIMIT 1") or die(mysqli_error($con));*/ //commented for testing
?>
           <div style="text-align: center;">
                <span class="confirm">
                     Successfully updated click <a href="index.php?page=events">here</a> to view it!
                </span>
           </div>
<?php
      }
?>
      </form>
 </div>
<?php
}

FYI- the logincheck.php is does nothing but check if the user is logged in, if not it sends them back to the home page.

Answer 1

Your website is generating error if any user input item is starting with either http:// or https:// .

When I try with a link starting with http:// I got a 406 Not Acceptable :

http://onkore.us/?blah=http://www.google.com

It is fine when I try this :

http://onkore.us/?blah=www.google.com

You've mentioned that you are having problem if it is more than one link , but when I try with two links like below , it is being fine :

http://onkore.us/?blah1=www.google.com&blah2=www.google.com

However either you could find and fix the issue which might be specific to your server configuration or you could try a work around .

I am not sure if this workaround helps , but considering that http:// or https:// are creating the issue , what I am thinking is to remove the http:// and https:// from user input . First you might want to try changing <input type="url" to <input type="text" so that URL format is not enforced . Then you could use Javascript to remove occurrences of http:// and https:// from the user input in the form before submitting to server . Additionally you could remove these from the data before populating the form values .

Hope this helps .

Regex : How to remove 'http://' from a URL in JavaScript

Answer 2

This error means that for example, you are asking the server for books (And you only understand Spanish). The server only has English and German Books.
Therefore the server has your answer but it will not give it to you, because he knows you won't do anything useful or you will do something bad with it!! (like not reading the books and throwing them to people's heads, for example).

406 Not Acceptable" is an unusual status code - the most common are 200, 404, 500, 301. You only see a 406 when something is wrong with the server, usually something silly but hard to diagnose.

Also:

This general error means the request you made was detected as a potential hack attempt to the server [...]
https://billing.stablehost.com/knowledgebase/178/What-does-406-Not-Acceptable-mean.html

---

The most common solution for this error is related with mod_security.

1. Mod_security

ModSecurity can monitor the HTTP traffic in real time in order to detect attacks [...] it operates as a web intrusion detection tool. ModSecurity can also act immediately to prevent attacks from reaching your web applications.

This 406 error might be from mod_security as a response from a possible attack via POST, passing some url's instead of plain and normal text.

The most common solution is to disable the POST scan and mod_security filtering in htaccess:

<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>

Also, in the terminal, execute:

sudo a2dismod security2_module 
sudo service apache2 restart 

To deactivate ModSecurity.

If that does not work, then edit the file

/etc/apache2/mod-security/modsecurity_crs_10_config.conf

And add a # at the beggining of the line that has something like this:

SecDefaultAction “phase:2,log,deny,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace”

Finally, restart apache

sudo service apache2 restart

Answer 3

I have been having this problem for a while and only once in a while, so it was hard to identify.

However, after some testing I have found the mistake in my case. It may be not in yours, but if anyone is having 406 Not Acceptable error it is worth a shot.

In my case that error occured whenever posted data had 'shell:' in it, which as I would guess is interpreted wrong and error is thrown. Solution for me was to replace that string before posting it.