CI自动过滤掉百分号%后两位的问题解决
在 CodeIgniter 做的网站里,想输入一段代码:
$var = sprintf("%04d", 2);
但是发现入库后,代码变成了
$var = sprintf("d", 2);
在网上环境,本地环境都测试过,最终确认是 CodeIgniter 系统的问题。下面谈一下问题解决的过程与思维方法:
1. 是 config.php 的 permitted_uri_chars 吗?
$config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-';
在 stackoverflow 上找到几个差不多的问题,有答案说改 config.php 的 permitted_uri_chars 就行了。
Ahem... after looking at your sample string again. Here is why you get "
The URI you submitted has disallowed characters".Short explanation: Add the ampersand & to the allowed characters list
$config['permitted_uri_chars'] = 'a-z 0-9~%.:_+&-';Copy after login
试过了,没效果,于是就查找应用了 $config['permitted_uri_chars'] 的代码。
2. 是 core/Input.php 的 _clean_input_keys() 函数问题吗?
function _clean_input_keys($str)
{
$config = &get_config('config');
if ( ! preg_match("/^[".$config['permitted_uri_chars']."]+$/i", rawurlencode($str)))
{
exit('Disallowed Key Characters.');
}
// Clean UTF-8 if supported
if (UTF8_ENABLED === TRUE)
{
$str = $this->uni->clean_string($str);
}
return $str;
}
这个函数使用了 $config['permitted_uri_chars'] 直接过滤 post 过来的数据,很大原因就是元凶了。我把它单独出来,经过测试发现,post $var = sprintf("%04d", 2); 过来,结果还是 $var = sprintf("%04d", 2); ,%04并未被过滤,看来还得细细地找。
3. 是 xss 的防御机制吗?
stackoverflow 有个人说他完美解决了这个问题,是 xss clean 的原因。
:) God damn URLDECODE, I have looked at the code in URI.php but the xss clean is doing the job so I missed it. Thank you now everything is perfect. – RaduM
于是我找到了 core/security.php 下的 xss_clean() 函数。把函数体代码全部注释掉,发现输入还是会把 %04 过滤掉,显然也不是 xss 的问题。
4. 问题出在 _clean_input_data() 函数
重新回到 Input.php,发现 _clean_input_data 与 _clean_input_keys 有联系。
$new_array[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);
于是把 _clean_input_data() 的函数体注释掉,竟然输入没被过滤了。继续缩小范围,发现是这段代码惹得祸:
// Remove control characters // 就是这个会把%0x过滤掉 $str = remove_invisible_characters($str);
5. 元凶找到了 remove_invisible_characters() 函数
那么 remove_invisible_characters() 这个函数是什么呢?
这个函数在 core/Common.php中,我把它揪出来:
function remove_invisible_characters($str, $url_encoded = TRUE)
{
$non_displayables = array();
// every control character except newline (dec 10)
// carriage return (dec 13), and horizontal tab (dec 09)
if ($url_encoded)
{
$non_displayables[] = '/%0[0-8bcef]/'; // url encoded 00-08, 11, 12, 14, 15
$non_displayables[] = '/%1[0-9a-f]/'; // url encoded 16-31
}
$non_displayables[] = '/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]+/S'; // 00-08, 11, 12, 14-31, 127
do
{
$str = preg_replace($non_displayables, '', $str, -1, $count);
}
while ($count);
return $str;
}
看这么几行代码:
if ($url_encoded)
{
$non_displayables[] = '/%0[0-8bcef]/'; // url encoded 00-08, 11, 12, 14, 15
$non_displayables[] = '/%1[0-9a-f]/'; // url encoded 16-31
}
明确了吧,他会把%0与%1开头的3个字符过滤掉。直接把这个注释掉,问题解决。
记录这个问题解决的思维全过程。
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
How to implement custom middleware in CodeIgniter
Jul 29, 2023 am 10:53 AM
How to implement custom middleware in CodeIgniter Introduction: In modern web development, middleware plays a vital role in applications. They can be used to perform some shared processing logic before or after the request reaches the controller. CodeIgniter, as a popular PHP framework, also supports the use of middleware. This article will introduce how to implement custom middleware in CodeIgniter and provide a simple code example. Middleware overview: Middleware is a kind of request
CodeIgniter middleware: Accelerate application responsiveness and page rendering
Jul 28, 2023 pm 06:51 PM
CodeIgniter Middleware: Accelerating Application Responsiveness and Page Rendering Overview: As web applications continue to grow in complexity and interactivity, developers need to use more efficient and scalable solutions to improve application performance and responsiveness. . CodeIgniter (CI) is a lightweight PHP-based framework that provides many useful features, one of which is middleware. Middleware is a series of tasks that are performed before or after the request reaches the controller. This article will introduce how to use
How to use the database query builder (Query Builder) in the CodeIgniter framework
Jul 28, 2023 pm 11:13 PM
Introduction to the method of using the database query builder (QueryBuilder) in the CodeIgniter framework: CodeIgniter is a lightweight PHP framework that provides many powerful tools and libraries to facilitate developers in web application development. One of the most impressive features is the database query builder (QueryBuilder), which provides a concise and powerful way to build and execute database query statements. This article will introduce how to use Co
PHP development: Using CodeIgniter to implement MVC pattern and RESTful API
Jun 16, 2023 am 08:09 AM
As web applications continue to evolve, it is important to develop applications more quickly and efficiently. And, as RESTful API is widely used in web applications, it is necessary for developers to understand how to create and implement RESTful API. In this article, we will discuss how to implement MVC pattern and RESTful API using CodeIgniter framework. Introduction to MVC pattern MVC (Model-Vie
How to use CodeIgniter5 framework in php?
Jun 01, 2023 am 11:21 AM
CodeIgniter is a lightweight PHP framework that uses MVC architecture to support rapid development and simplify common tasks. CodeIgniter5 is the latest version of the framework and offers many new features and improvements. This article will introduce how to use the CodeIgniter5 framework to build a simple web application. Step 1: Install CodeIgniter5 Downloading and installing CodeIgniter5 is very simple, just follow these steps: Download the latest version
CodeIgniter middleware: Provides secure file upload and download functions
Aug 01, 2023 pm 03:01 PM
CodeIgniter middleware: Provides secure file upload and download functions Introduction: In the process of web application development, file upload and download are very common functions. However, for security reasons, handling file uploads and downloads often requires additional security measures. CodeIgniter is a popular PHP framework that provides a wealth of tools and libraries to support developers in building secure and reliable web applications. This article will introduce how to use CodeIgniter middleware to implement secure files
Use PHP framework CodeIgniter to develop a real-time chat application to provide convenient communication services
Jun 27, 2023 pm 02:49 PM
With the development of mobile Internet, instant messaging has become more and more important and popular. For many companies, live chat is more like a communication service, providing a convenient communication method that can quickly and effectively solve business problems. Based on this, this article will introduce how to use the PHP framework CodeIgniter to develop a real-time chat application. Understand the CodeIgniter framework CodeIgniter is a lightweight PHP framework that provides a series of simple tools and libraries to help developers quickly
How to use the PHP framework CodeIgniter to quickly build a backend management system
Jun 27, 2023 am 09:46 AM
In today's Internet era, a website that is loved by users must have a simple and clear front-end interface and a powerful back-end management system, and the PHP framework CodeIgniter is an excellent framework that allows developers to quickly build a back-end management system. CodeIgniter has the characteristics of lightweight, high efficiency, and easy expansion. This article will be aimed at beginners and explain in detail how to quickly build a backend management system through this framework. 1. Installation and configuration Installation of PHPCodeIgniter is a PHP-based
