Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
523 views
in Technique[技术] by (71.8m points)

php - Percent Symbol in CodeIgniter URI

I need to pass an encoded string to a CodeIgniter controller.

Example:

DOSOMETHING/Coldplay/Fix+You/273/X+%26+Y/

My problem is the percent symbol that is a disallowed character. I've tried to change the config file with the following:

$config['permitted_uri_chars'] = 'a-z 0-9~%.:_-+\%';

The + is ok, but the % is not valid. Can you help me to change this reg exp so it will allow the % symbol? Thanks in advance!

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Put the "-" at the end of the string otherwise it gets interpreted as range. The % is already in the allowed character list as you can see.

$config['permitted_uri_chars'] = 'a-z 0-9~%.:_+-';

Ahem... after looking at your sample string again. Here is why you get "The URI you submitted has disallowed characters".

Short explanation: Add the ampersand & to the allowed characters list

$config['permitted_uri_chars'] = 'a-z 0-9~%.:_+&-';

Long explanation

There are 2 things playing together.

A) CodeIgniter checks all URI segments for disallowed characters. This happens by whitelisting allowed characters. Which ones are allowed can be checked in /system/application/config/config.php in the $config['permitted_uri_chars'] variable. The default value is set to something like 'a-z 0-9~%.:_-'. Thus all letters from a to z, space, all numbers and the following characters *~%.:_- are allowed.

Ok let us compare that to your sample URI which you say works

a-z 0-9~%.:_-
DO_SOMETHING/Coldplay/Fix+You/273/X+26+Y/   //note the missing %

All characters are ok... but wait what about the plus sign +? It's not in the list of allowed characters! And yet the URI is not complained about? This is the key to your problem.

B) CodeIgniter urldecodes the URI segments prior to the whitelist-character-check to prevent that someone circumvents the check by simply urlencoding the URI. Thus the + gets decoded to a space. This behaviour is because of urlencode (which encodes spaces as + sign, deviating from RFC 1738). That explains why the + sign is allowed.

These two things combined explain also why this specific URI doesn't work.

urldecode(DO_SOMETHING/Coldplay/Fix+You/273/X+%26+Y/) //evaluates to
//DO_SOMETHING/Coldplay/Fix You/273/X & Y/

Whoops... the urldecoding translates %26 to an &

Which isn't an allowed character. Mistery ;-) solved


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...