tags:

views:

1263

answers:

6
+3  Q: 

PHP Query String Limit

I have PHP 5.1.6 (cli) installed and whenever the GET query string is more than 128 characters it fails with HTTP 406 Not Acceptable error. Any suggestions how I can fix this so can use more than 128 characters? POST is not an option.

The error is being returned by the server so don't think it's browser issue. And the reason I think it's PHP and not Apache is because it works fine with an HTML file.

GET /test.php?phptestof129characterstring-NEW-WOVEN-FENCE-PANELS-GARDEN_W0QQitemZ200303392512QQihZ010QQcategoryZ139954QQtcZphotoQQcmdZViewItem
HTTP/1.1
Host: *****
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: agent_name=Tim

HTTP/1.1 406 Not Acceptable
Date: Tue, 03 Feb 2009 12:05:33 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Length: 0
Connection: close
Content-Type: text/html


GET /test.html?phptestof129characterstring-NEW-WOVEN-FENCE-PANELS-GARDEN_W0QQitemZ200303392512QQihZ010QQcategoryZ139954QQtcZphotoQQcmdZViewItem
HTTP/1.1
Host: *****
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: agent_name=Tim

HTTP/1.1 200 OK
Date: Tue, 03 Feb 2009 12:18:19 GMT
Server: Apache/2.2.3 (Red Hat)
Last-Modified: Fri, 19 Dec 2008 15:01:17 GMT
ETag: "156960d-221-94be8940"
Accept-Ranges: bytes
Content-Length: 545
Connection: close
Content-Type: text/html
A: 

Use POST instead.

Dev er dev  2009-02-03 14:42:09
"POST is not an option."
Ross  2009-02-03 14:43:31
+1  A: 

Do you have mod_security enabled on your webserver? It sounds like something it would do. If so, you may be able to disable locally inside your <VirtualHost> block or with an .htaccess file for v1.x

<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>

Version 2.x has different configuration syntax:

<IfModule mod_security2.c>
    SecRuleEngine Off
</IfModule>

That's a bit of a brute force approach, you may want to read the documentation to see how you might allow particular URIs to pass through. See also Handling False Positives and Creating Custom Rules

Paul Dixon  2009-02-03 14:46:42
A: 

As a work-around, you can try using Javascript to put the data in cookies. The cookies will be sent automatically with every GET request, and give you an extra 2KB of data space (if I'm not mistaken).

This is very risky if you don't want to transmit that data with every request, so generally speaking I would recommend against it.

Pies  2009-02-03 14:49:45
Or he could use $_SESSION
Click Upvote  2009-02-03 14:51:24
Obviously, but think that's beyond the scope of the question. I'm assuming he's working with legacy code or something.
Pies  2009-02-03 14:55:38
Though my answer does require changes to the server-side code, so maybe you're right.
Pies  2009-02-03 14:56:57
The requests come from a third party application so unfortunately this wouldn't work. That's also why I can't use POST. It's normally not a problem because most request are less than 128 characters, but just recently became aware of this issue.
Tim  2009-02-03 15:09:50
A: 

It looks like mod_security is indeed enabled, but adding "SecFilterEngine Off" and "SecFilterScanPOST off" to htaccess file has made no difference.

Tim  2009-02-03 14:55:33
what version do you have - have amended my post for v2.x
Paul Dixon  2009-02-03 15:02:54
Just tried your suggestion for v2 but that's not done it either.This is what's in httpd.conf:LoadModule security_module /usr/lib/httpd/modules/mod_security.soDon't know how I can tell what version it is?
Tim  2009-02-03 15:06:42
Maybe you can't override it .htaccess, perhaps you could add directly to your <virtualhost> block?
Paul Dixon  2009-02-03 15:12:05
I tried commenting out the LoadModule line for mod_security and reset Apache - it was still generating 406 error when query string exceeded 128 characters though. I assume this means mod_security can be ruled out as the culprit behind the errors?
Tim  2009-02-03 15:37:42
The behaviour still seems more like mod_security than PHP. After commenting it out, is there any mention of it in the output of apache2 -M (this lists all static and dynamic modules)
Paul Dixon  2009-02-03 17:32:02
A: 

It's a long shot, but try adding:

header('Content-Type: text/html');

to your server-side code. If that doesn't help, check your Apache configuration, maybe it's misconfigured so that PHP files can't emit text/html MIME type. If that doesn't help, how about setting up Apache so that .html files are treated as PHP and rename the target script to .html?

BTW, from http://www.checkupdown.com/status/E406.html :

A client (e.g. your Web browser or our CheckUpDown robot) can indicate to the Web server characteristics of the data it will accept back from the Web server. This is done using 'accept headers' of the following types:

  • Accept: The MIME types accepted by the client. For example, a browser may only accept back types of data (HTML files, GIF files etc.) it knows how to process.
  • Accept-Charset: The character sets accepted by the client.
  • Accept-Encoding: The data encoding accepted by the client e.g. the file formats it understands.
  • Accept-Language: The natural languages (English, German etc.) accepted by the client.
  • Accept-Ranges: Whether the client accepts ranges of bytes from the resource i.e. a portion of the resource.

If the Web server detects that the data it wants to return is not acceptable to the client, it returns a header containing the 406 error code.

Pies  2009-02-03 15:05:55
A: 

Have found answer thanks to comment from Ben.

Although this generates 406 error: test.php?129+characters

This works fine: test.php?data=129+characters

So my guess is that in the first instance PHP is attempting to use the 129 characters as name in $_GET array whereas the second example has only 4 characters for the name and the rest is assigned as value, so array must have 128 character limit for index name.

Tim  2009-02-03 15:45:43
php 5.2.3 doesn't exhibit that behaviour
Paul Dixon  2009-02-03 16:04:05

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases