CI automatically filters out the last two digits of the percentage sign % to solve the problem

Source: Internet
Author: User
Tags control characters

Enter a piece of code on the CodeIgniter Website:

$var = sprintf("%04d", 2);

However, the Code becomes

$var = sprintf("d", 2);

In the online environment, both local environments have been tested, and the final confirmation is a problem with the CodeIgniter system. Next, let's talk about the problem solving process and thinking methods:

1. Is it config. php's permitted_uri_chars?

$config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-';

Find a few similar questions on stackoverflow and have the answer to change config. php's permitted_uri_chars.

Ahem... after looking at your sample string again. Here is why you get"The URI you submitted has disallowed characters".

Short explanation: Add the ampersand & to the allowed characters list

$config['permitted_uri_chars'] = 'a-z 0-9~%.:_+&-';

I tried it and it didn't work, so I found the code for applying $ config ['permitted _ uri_chars.

2. Is it a problem with the _ clean_input_keys () function of core/Input. php?

function _clean_input_keys($str)   {   $config = &get_config('config');   if ( ! preg_match("/^[".$config['permitted_uri_chars']."]+$/i", rawurlencode($str)))   {   exit('Disallowed Key Characters.');   }   // Clean UTF-8 if supportedif (UTF8_ENABLED === TRUE){$str = $this->uni->clean_string($str);}return $str;   } 

This function uses $ config ['permitted _ uri_chars'] to directly filter post data, which is a major cause. After testing, I found that post $ var = sprintf ("% 04d", 2); the result is still $ var = sprintf ("% 04d ", 2);, % 04 is not filtered. It seems that you have to find it carefully.

3. Is it an xss defense mechanism?

One person in stackoverflow said that he solved the problem perfectly, which is the reason for xss clean.

:) God damn URLDECODE, I have looked at the code in URI. php but the xss clean is doing the job so I missed it. Thank you now everything is perfect.-RaduM

So I found the xss_clean () function under core/security. php. Comment out all the function body code and find that the input still filters out % 04, which is obviously not an xss issue.

4. The problem lies in the _ clean_input_data () function.

Return to Input. php and find that _ clean_input_data is related to _ clean_input_keys.

$new_array[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);

So I commented out the function body of _ clean_input_data (), and the input was not filtered out. Continue to narrow down the scope and find that this code has caused a disaster:

// Remove control characters // This will filter out % 0x $ str = remove_invisible_characters ($ str );

5. The Culprit found the remove_invisible_characters () function.

So what is the remove_invisible_characters () function?

This function is in core/Common. php and I pull it out:

function remove_invisible_characters($str, $url_encoded = TRUE){$non_displayables = array();// every control character except newline (dec 10)// carriage return (dec 13), and horizontal tab (dec 09)if ($url_encoded){$non_displayables[] = '/%0[0-8bcef]/';// url encoded 00-08, 11, 12, 14, 15$non_displayables[] = '/%1[0-9a-f]/';// url encoded 16-31}$non_displayables[] = '/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]+/S';// 00-08, 11, 12, 14-31, 127do{$str = preg_replace($non_displayables, '', $str, -1, $count);}while ($count);return $str;}

Look at the following lines of code:

if ($url_encoded){$non_displayables[] = '/%0[0-8bcef]/';// url encoded 00-08, 11, 12, 14, 15$non_displayables[] = '/%1[0-9a-f]/';// url encoded 16-31}

Clearly, it will filter out the three characters starting with % 0 and % 1. Comment out this and solve the problem.

Record the whole process of thinking about solving this problem.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.