CI automatically filters out the last two digits of the percentage sign %. _ PHP Tutorial-php Tutorial

CI automatically filters out the last two digits of the percent sign % to solve the problem. On the CodeIgniter website, you want to enter a piece of code: $ varsprintf (% 04d, 2); but after you find that the code is changed to $ varsprintf (d, 2 ); in the online environment, the local environment is on the website of CodeIgniter. you want to enter a piece of code:

$var = sprintf("%04d", 2);

However, the code becomes

$var = sprintf("d", 2);

In the online environment, both local environments have been tested, and the final confirmation is a problem with the CodeIgniter system. Next, let's talk about the problem solving process and thinking methods:

1. is it config. php's permitted_uri_chars?

$config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-';

Find a few similar questions on stackoverflow and have the answer to change config. php's permitted_uri_chars.

Ahem... after looking at your sample string again. Here is why you get"The URI you submitted has disallowed characters".

Short explanation: Add the ampersand & to the allowed characters list

$config['permitted_uri_chars'] = 'a-z 0-9~%.:_+&-';

I tried it and it didn't work, so I found the code for applying $ config ['permitted _ uri_chars.

2. is it a problem with the _ clean_input_keys () function of core/Input. php?

function _clean_input_keys($str)   {   $config = &get_config('config');   if ( ! preg_match("/^[".$config['permitted_uri_chars']."]+$/i", rawurlencode($str)))   {   exit('Disallowed Key Characters.');   }   // Clean UTF-8 if supportedif (UTF8_ENABLED === TRUE){$str = $this->uni->clean_string($str);}return $str;   } 

This function uses $ config ['permitted _ uri_chars'] to directly filter post data, which is a major cause. After testing, I found that post $ var = sprintf ("% 04d", 2); the result is still $ var = sprintf ("% 04d ", 2);, % 04 is not filtered. it seems that you have to find it carefully.

3. is it an xss defense mechanism?

One person in stackoverflow said that he solved the problem perfectly, which is the reason for xss clean.

:) God damn URLDECODE, I have looked at the code in URI. php but the xss clean is doing the job so I missed it. Thank you now everything is perfect.-RaduM

So I found the xss_clean () function under core/security. php. Comment out all the function body code and find that the input still filters out % 04, which is obviously not an xss issue.

4. the problem lies in the _ clean_input_data () function.

Return to Input. php and find that _ clean_input_data is related to _ clean_input_keys.

$new_array[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);

So I commented out the function body of _ clean_input_data (), and the input was not filtered out. Continue to narrow down the scope and find that this code has caused a disaster:

// Remove control characters // This will filter out % 0x $ str = remove_invisible_characters ($ str );

5. the culprit found the remove_invisible_characters () function.

So what is the remove_invisible_characters () function?

This function is in core/Common. php and I pull it out:

function remove_invisible_characters($str, $url_encoded = TRUE){$non_displayables = array();// every control character except newline (dec 10)// carriage return (dec 13), and horizontal tab (dec 09)if ($url_encoded){$non_displayables[] = '/%0[0-8bcef]/';// url encoded 00-08, 11, 12, 14, 15$non_displayables[] = '/%1[0-9a-f]/';// url encoded 16-31}$non_displayables[] = '/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]+/S';// 00-08, 11, 12, 14-31, 127do{$str = preg_replace($non_displayables, '', $str, -1, $count);}while ($count);return $str;}

Look at the following lines of code:

if ($url_encoded){$non_displayables[] = '/%0[0-8bcef]/';// url encoded 00-08, 11, 12, 14, 15$non_displayables[] = '/%1[0-9a-f]/';// url encoded 16-31}

Clearly, it will filter out the three characters starting with % 0 and % 1. Comment out this and solve the problem.

Record the whole process of thinking about solving this problem.

You can enter a piece of code in a website created by mongocodeigniter: $ var = sprintf ("% 04d", 2). However, after the website is found to be in the database, the code is changed to $ var = sprintf ("d", 2); in the online environment, the local environment is all...