I am facing a problem with my web host, 123-Reg and their basic Linux startup package. To summarise what this package contains, it is a small scale shared hosting environment with support for PHP.
I am developing a content management system which writes data to a flat file DB, as the client I am working for doesn't want to purchase a database to go alongside the hosting.
The simplified code I am using is as follows:
<?php session_start(); $Content = $_POST['Content']; $Category = $_POST['Category']; $Page = $_POST['Page']; file_put_contents($_SERVER['DOCUMENT_ROOT'].'/usr/SiteFiles/'.$Page, $Content); $Links = file_get_contents($_SERVER['DOCUMENT_ROOT'].'/usr/SysFiles/'.$Category); $Links = $Links.$Page."*"; file_put_contents($_SERVER['DOCUMENT_ROOT'].'/usr/SysFiles/'.$Category, $Links); die(Header('Location: /CMS/Errors/Saved.php')); ?>
When this is written to the text file DB, any control characters such as speech marks are being escaped with a slash. Something along the lines of
He said "FooBar" would turn up as
He said \"FooBar\"
When I contacted the web host, they said this was a problem with my code and the only way to resolve this was to upgrade to a VPS.
The way I see it, upgrading to a VPS wouldn't make a single bit of difference if the issue was with the code. Furthermore, the code itself writes to the DB but it is being intercepted between transmission and storage. Equally they couldn't point out the issue with the code, and responded simply with the "solution" to upgrade to a VPS.
Before I pursue the case further, is there any possibility it could be an issue with my code? Or is it more likely the web host implementing some sort of security feature (similar to HTMLSpecialChars) to prevent code execution by people who use this style of DB for a public comment system etc.