发表新帖
发表新帖

Percent character replaced in Codeigniter

后端 未结
关注
3 1909
再見小時候
再見小時候 2021-01-13 15:12

In Codeigniter I\'m sending a string using POST method as \"%100\" and it becomes \"0\". I believe this is because they\'re being treated as encode

相关标签:
3条回答
  • 日久生厌
    2021-01-13 15:52

    Just look for the remove_invisible_characters() function defined in the CodeIgniter system/core/Common.php which is called by the function CI_Input::_sanitize_globals(). It is responsible for the cleanup of certain escape sequences starting with "%". I prefer to override the input class to disable the automatic sanitization of the globals.

    0 讨论(0)
  • 情话喂你
    2021-01-13 15:59

    Instead of removing the rawurldecode function, you could create your own MY_Security class that you can then use to override the xss_clean function. Maybe use PHP's rawurlencode function before calling the parent parent xss_clean function. Something like this:

    <?php

class MY_Security extends Security {

    function MY_Security() {
        parent::Security();
    }

    public function xss_clean($str, $is_image = FALSE) {
        $str = rawurlencode($str);
        return parent::xss_clean($str, $is_image);
    }

}

?>

    That will encode the value so that when it's decoded by the parent function, you'll have the original value you submitted.

    0 讨论(0)
  • 攒了一身酷
    2021-01-13 16:02

    I believe the problem here is nothing to do with CI or even PHP, but with your HTTP request.

    Lets say I make a POST request that looks like this:

    POST /path/to/file HTTP/1.1
Host: server.com
User-Agent: Bob the browser/1.0
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 25

name=Dave&percentage=%100

    What you are probably expecting is for $_POST to look like this:

    Array
    (
        [name] => Dave
        [percentage] => %100
    )

    But, in fact PHP will (correctly) decode it as this:

    Array
    (
        [name] => Dave
        [percentage] => 0
    )

    This is because %10 is a valid url encoded string, and will be translated to the non-printable and in this context meaningless "Data Link Escape" character, ASCII 0x10.

    In order to get the result you expect, the request needs to be like this:

    POST /path/to/file HTTP/1.1
Host: server.com
User-Agent: Bob the browser/1.0
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 27

name=Dave&percentage=%25100

    So the value you actually send in the POST body is %25100. This will be correctly decoded as %100.

    0 讨论(0)
 看不清?
提交回复
热议问题