php seems to automatically url decode...How can I prevent this:

Question

Request POST (via javascript) giftcard_number:%120213001?

Response 0213001?

It seems %12 is being converted to nothing.

NOTE: I am using the codeingiter framework and have tried turning off global xss filter and accessing $_POST directly and still have the problem. Does anyone know if codeigniter modifies $_POST?

Answer 1

I have tracked the problem down to system/core/common.php --> remove_invisible_characters

function remove_invisible_characters($str, $url_encoded = TRUE)
{
    $non_displayables = array();

    // every control character except newline (dec 10)
    // carriage return (dec 13), and horizontal tab (dec 09)

    if ($url_encoded)
    {
        $non_displayables[] = '/%0[0-8bcef]/';  // url encoded 00-08, 11, 12, 14, 15
        $non_displayables[] = '/%1[0-9a-f]/';   // url encoded 16-31
    }

    $non_displayables[] = '/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]+/S';   // 00-08, 11, 12, 14-31, 127

    do
    {
        $str = preg_replace($non_displayables, '', $str, -1, $count);
    }
    while ($count);

    return $str;
}

Can anyone think of a workaround? Do you consider this a bug in the framework?

EDIT: A way to get the raw value without is to use the $_REQUEST variable

Answer 2

The % character is used in URL encoding. So you either need to remove the % before sending the string to the server (which is what I would recommend), or else URL-encode the string and deal with the extra characters on the server end.

CodeIgniter is doing the perfectly logical thing in removing the %12, since it appears to be a URL-encoded control character.