


In the website made by CodeIgniter, I want to enter a piece of code:
$var = sprintf("%04d", 2);
But I found that after entering the library, the code changed to
$var = sprintf("d", 2);
I tested it in both online environment and local environment, and it was finally confirmed that it was a problem with the CodeIgniter system. Let’s talk about the problem-solving process and thinking methods:
1. Is it permitted_uri_chars of config.php?
$config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-';
I found several similar questions on stackoverflow, and some answers said that just change permitted_uri_chars in config.php.
Ahem... after looking at your sample string again. Here is why you get "
The URI you submitted has disallowed characters
".Short explanation: Add the ampersand & to the allowed characters list
$config['permitted_uri_chars'] = 'a-z 0-9~%.:_+&-';
I tried it, but it didn’t work, so I looked for the code that applied $config['permitted_uri_chars'].
2. Is it a problem with the _clean_input_keys() function of core/Input.php?
function _clean_input_keys($str) { $config = &get_config('config'); if ( ! preg_match("/^[".$config['permitted_uri_chars']."]+$/i", rawurlencode($str))) { exit('Disallowed Key Characters.'); } // Clean UTF-8 if supported if (UTF8_ENABLED === TRUE) { $str = $this->uni->clean_string($str); } return $str; }
This function uses $config['permitted_uri_chars'] to directly filter the post data. The main reason is the culprit. I separated it and found after testing that post $var = sprintf("%04d", 2);, the result is still $var = sprintf("%04d", 2);, %04 has not been filtered, see You have to look for it carefully.
3. Is it a defense mechanism for xss?
Someone on stackoverflow said that he solved this problem perfectly and it was caused by xss clean.
:) God damn URLDECODE, I have looked at the code in URI.php but the xss clean is doing the job so I missed it. Thank you now everything is perfect. – RaduM
So I found the xss_clean() function under core/security.php. Comment out all the function body code and find that the input will still filter out %04, which is obviously not a problem with xss.
4. The problem lies in the _clean_input_data() function
Go back to Input.php and find that _clean_input_data is related to _clean_input_keys.
$new_array[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);
So I commented out the function body of _clean_input_data(), and the input was not filtered. Continuing to narrow down the scope, I found that this code was causing trouble:
// Remove control characters // 就是这个会把%0x过滤掉 $str = remove_invisible_characters($str);
5. The culprit found the remove_invisible_characters() function
So what is the remove_invisible_characters() function?
This function is in core/Common.php, I pulled it out:
function remove_invisible_characters($str, $url_encoded = TRUE) { $non_displayables = array(); // every control character except newline (dec 10) // carriage return (dec 13), and horizontal tab (dec 09) if ($url_encoded) { $non_displayables[] = '/%0[0-8bcef]/'; // url encoded 00-08, 11, 12, 14, 15 $non_displayables[] = '/%1[0-9a-f]/'; // url encoded 16-31 } $non_displayables[] = '/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]+/S'; // 00-08, 11, 12, 14-31, 127 do { $str = preg_replace($non_displayables, '', $str, -1, $count); } while ($count); return $str; }
Look at these lines of code:
if ($url_encoded) { $non_displayables[] = '/%0[0-8bcef]/'; // url encoded 00-08, 11, 12, 14, 15 $non_displayables[] = '/%1[0-9a-f]/'; // url encoded 16-31 }
Let’s be clear, it will filter out the three characters starting with %0 and %1. Just comment this out and the problem will be solved.
Record the entire thinking process of solving this problem.

如何在CodeIgniter中实现自定义中间件引言:在现代的Web开发中,中间件在应用程序中起着至关重要的作用。它们可以用来执行在请求到达控制器之前或之后执行一些共享的处理逻辑。CodeIgniter作为一个流行的PHP框架,也支持中间件的使用。本文将介绍如何在CodeIgniter中实现自定义中间件,并提供一个简单的代码示例。中间件概述:中间件是一种在请求

CodeIgniter中间件:加速应用程序的响应速度和页面渲染概述:随着网络应用程序的复杂性和交互性不断增长,开发人员需要使用更加高效和可扩展的解决方案来提高应用程序的性能和响应速度。CodeIgniter(CI)是一种基于PHP的轻量级框架,提供了许多有用的功能,其中之一就是中间件。中间件是在请求到达控制器之前或之后执行的一系列任务。这篇文章将介绍如何使用

在CodeIgniter框架中使用数据库查询构建器(QueryBuilder)的方法引言:CodeIgniter是一个轻量级的PHP框架,它提供了许多功能强大的工具和库,方便开发人员进行Web应用程序开发。其中一个令人印象深刻的功能是数据库查询构建器(QueryBuilder),它提供了一种简洁而强大的方法来构建和执行数据库查询语句。本文将介绍如何在Co

随着Web应用程序的不断发展,更加快速和高效地开发应用程序变得非常重要。并且,随着RESTfulAPI在Web应用程序中的广泛应用,对于开发人员来说,必须理解如何创建和实现RESTfulAPI。在本文中,我们将讨论如何使用CodeIgniter框架实现MVC模式和RESTfulAPI。MVC模式简介MVC(Model-Vie

CodeIgniter是一个轻量级的PHP框架,采用MVC架构,支持快速开发和简化常见任务。CodeIgniter5是该框架的最新版本,提供了许多新的特性和改进。本文将介绍如何使用CodeIgniter5框架来构建一个简单的Web应用程序。步骤1:安装CodeIgniter5下载和安装CodeIgniter5非常简单,只需要遵循以下步骤:下载最新版本

现今互联网时代,一款深受用户喜爱的网站必须具备简洁明了的前端界面和功能强大的后台管理系统,而PHP框架CodeIgniter则是一款能够让开发者快速搭建后台管理系统的优秀框架。CodeIgniter拥有轻量级、高效率、易扩展等特点,本文将针对初学者,详细说明如何通过该框架快速搭建一个后台管理系统。一、安装配置安装PHPCodeIgniter是一个基于PHP的

随着移动互联网的发展,即时通信变得越来越重要,越来越普及。对于很多企业而言,实时聊天更像是一种通信服务,提供便捷的沟通方式,可以快速有效地解决业务方面的问题。基于此,本文将介绍如何使用PHP框架CodeIgniter开发一个实时聊天应用。了解CodeIgniter框架CodeIgniter是一个轻量级的PHP框架,提供了一系列的简便的工具和库,帮助开发者快速

近年来,Web开发技术的进步和全球互联网应用的不断扩大,使得PHP技术应用面越来越广泛。作为一种快速开发的技术,其生态系统也在不断发展壮大。其中,CodeIgniter作为PHP开发领域中著名的框架之一,备受众多开发者的欢迎。本篇文章将介绍CodeIgniter框架的相关知识,以此为初学者提供一个入门的指引。一、什么是CodeIgniter框架?CodeIg


Hot AI Tools

Undresser.AI Undress
AI-powered app for creating realistic nude photos

AI Clothes Remover
Online AI tool for removing clothes from photos.

Undress AI Tool
Undress images for free

Clothoff.io
AI clothes remover

AI Hentai Generator
Generate AI Hentai for free.

Hot Article

Hot Tools

MinGW - Minimalist GNU for Windows
This project is in the process of being migrated to osdn.net/projects/mingw, you can continue to follow us there. MinGW: A native Windows port of the GNU Compiler Collection (GCC), freely distributable import libraries and header files for building native Windows applications; includes extensions to the MSVC runtime to support C99 functionality. All MinGW software can run on 64-bit Windows platforms.

DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software

Safe Exam Browser
Safe Exam Browser is a secure browser environment for taking online exams securely. This software turns any computer into a secure workstation. It controls access to any utility and prevents students from using unauthorized resources.

SAP NetWeaver Server Adapter for Eclipse
Integrate Eclipse with SAP NetWeaver application server.

mPDF
mPDF is a PHP library that can generate PDF files from UTF-8 encoded HTML. The original author, Ian Back, wrote mPDF to output PDF files "on the fly" from his website and handle different languages. It is slower than original scripts like HTML2FPDF and produces larger files when using Unicode fonts, but supports CSS styles etc. and has a lot of enhancements. Supports almost all languages, including RTL (Arabic and Hebrew) and CJK (Chinese, Japanese and Korean). Supports nested block-level elements (such as P, DIV),
