php - parse_str randomly adding semicolons to keys

78

I am passing a query string as part of my query string to a PHP script.

Kinda like this:

$.post('/url', {
    id: postID
    filters: $('#form').serialize()
});

Then in my PHP, I useparse_str to readfilters:

<?php
$postID = $this->input->post('id');
parse_str($this->input->post('filters'), $filters);

The problem is thatparse_str is adding;s randomly to the keys. I'm getting a result like this:

array(4) {
  ["users"]=>
  string(0) ""
  ["companies;"]=>
  string(0) ""
  ["pref;_123"]=>
  string(0) ""
  ["products;"]=>
  array(2) {
    [0]=>
    string(4) "1234"
    [1]=>
    string(4) "5678"
  }
}

Why is the server adding;? I tried it on another server, and this doesn't happen. It also doesn't happen when testing via CLI.

EDIT: Seems this is notparse_str's fault, but some sort of XSS filter.$this->input->post('filters') (and even$_POST['filters']!) contains the; characters. I checked, and jQuery is not adding them.

EDIT: I managed to "fix" this by doing:

$filters = array_combine(array_map(function($x){
    return str_replace(';', '', $x);
}, array_keys($filters)), array_values($filters));
728

Answer

Solution:

This is caused by the config variableglobal_xss_filtering in Codeigniter. Set it to false to disable this behaviour.

See also:
xss_clean adds semicolon to anything with an &
CodeIgniter adding semicolons

267

Answer

Solution:

I would first do a var_dump of the $filters to see what is coming in.

parse_str will parse the string you send it like so:

$string = "user=&companies=StackOverflow";
parse_str($string, $filters);
echo $filters['user']; // empty string
echo $filters['companies']; // StackOverflow

My best guess is that what is being sent from iQuery's serialize (inclusive of the data) is not properly serialized/escaped probably so parse_str can easily split the string with the & as the separator for key/value of each parameter.

Reading the manuals you are definitely doing things correctly there but there might be something lurking in your data that throws the parse_str off. I would also look for illegal characters in the sting posted by jQuery.

People are also looking for solutions to the problem: php - Magento SQL Query - Filter products by category

Source

Didn't find the answer?

Our community is visited by hundreds of web development professionals every day. Ask your question and get a quick answer for free.

Ask a Question

Write quick answer

Do you know the answer to this question? Write a quick response to it. With your help, we will make our community stronger.

Similar questions

Find the answer in similar questions on our website.