PHP Mysql CodeIgniter Converting characters to symbols in very bizarre circumstances

Question

PHP Mysql CodeIgniter Converting characters to symbols in very bizarre circumstances

• Application Built on CodeIgniter.
• Has been running for over a year. No problems.
• Client fills in a form about a customer.
• A simple trim($_POST['notes']) captures textarea form field text and saves to MySQL
• no error reported in PHP or JavaScript
• The other day I notice some text the client has entered, has had the brackets used in the text "()" replaced with the equivalent "(&#41;
• I think... "That's strange... I don't recall any reason why those characters would have been replaced like that.!"

I take a look ... and a day later... here is my madness revealed:

---

The text in question is verbatim " Always run credit card on file (we do not charge this customer for pick-up or return) "

No matter what I did or changed on the code side.. I could not prevent the PHP... OR Javascript... Or MySQL... OR alien beings... - or whoever the heck is doing it - from converting the "()" in the text to "(&#41;. And I tried many things like cleaning the string in all ways known to man or god. Capturing the string previous to sending just before saving to the database. And the conversion would always take place just before the save to MySQL. I tried posting in different forms and fields... Same thing every time... could not stop the magic conversion to "(&#41;.

What in the name of batman is in this magical text that is causing this to happen?? is it magic pixie dust sprinkled on to godaddy server it is running on??? 0_o .......

Being the genius that I am 0_0 I decide to remove one word from the paragraph at a time. Magically... as all the creatures of the forest gathered around - as I finally got to the word "file" in the paragraph, and removed it !!! Like magic - the "()" stay as "()" and are NOT converted to "(&#41;?!?!???!?!? :\ How come??I simply removed the word "file" from the text... How could this change anything?? What is the word "file" causing to change with how the string is saved or converted??

---

OK -So I tested this out on any and every form field in the app. Every single time, in any field, if you type the word "file" followed by a "(" it will convert the first "(" to "(; and the very next ")" to "&#41;

So.. if the string is:

"file ( any number of characters or text ) any other text or characters"

On post, it will be converted mysteriously to:

"file ( any number of characters or text &#41 any other text or characters"

Remove the word "file" from the string, and you get:

"( any number of characters or text ) any other text or characters"

The alien beings return the abducted "()"

---

Anyone have a clue what the heck could be going on here?

---

• What is causing this?

• Is the word "file" a keyword that is tripping some sort of security measures? interpereting it as "file()"???

---

I dunno :\

It's the strangest thing I ever saw... Except for that time I walked in on Mom and Dad 0_o

Any help would be greatly appreciated, and I will buy you a beer for sure :)

---

The very large headed, - (way to much power for such tender egos) -, Noo-Noos here at stack have paused this question as "Off topic" LOL... honest to God these guys are so silly.

So - in an effort to placate the stack-gestapo - I will attempt to edit this question so that it is... "on topic"??? 0_o ... anything for you oh so "King" Stack Guys O_O - too bad you would never have the whit to ever notice such a bug... maybe some day. ;)

---

Sample code:

    <textarea name="notes">Always run credit card on file (we do not charge this customer for pick-up or return) blah blah</textarea>

<?php 

    if(isset($_POST['notes']){


        $this->db->where("ID = ".$_POST['ID']);
        $this->db->update('OWNER', $_POST['notes']);

    }
?>

---

Resulting MySQL storage:
"Always run credit card on file (we do not charge this customer for pick-up or return) blah blah"

• InnoDB - Type text utf8_general_ci

I am not looking for a way to prevent it, or clean it... I am clearly asking "What causes it"

Answer 1

/*
 * Sanitize naughty scripting elements
 *
 * Similar to above, only instead of looking for
 * tags it looks for PHP and JavaScript commands
 * that are disallowed.  Rather than removing the
 * code, it simply converts the parenthesis to entities
 * rendering the code un-executable.
 *
 * For example: eval('some code')
 * Becomes:     eval('some code')
 */
$str = preg_replace('#(alert|cmd|passthru|eval|exec|expression|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\s*)\((.*?)\)#si', "\\1\\2(\\3)", $str);

This is the part of XSS Clean. (system/core/Security.php)

If you want the filter to run automatically every time it encounters POST or COOKIE data you can enable it by opening your application/config/config.php file and setting this:

$config['global_xss_filtering'] = TRUE;

https://www.codeigniter.com/user_guide/libraries/security.html

Answer 2

Men I think Is in your server. If Ur using Wamp try to check if you have miss Install some arguments in xhtml. This is my Idea. it's related on my experience in CodeIgniter. hope U will response if you want some advice.

Answer 3

I'm not sure if this would work, but you could try inserting a slash in or before the word 'file':

fi\le ( any number of characters or text ) any other text or characters

Answer 4

Try replacing the &#40 and the &#41 with ( and ) using str_replace
If you are storing &#40 and &#41 in your database then you should try replacing it on output if not try and replace it before input.

Answer 5

try something like this

$this->db->set('OWNER', $_POST['notes'],FALSE);
$this->db->where('ID ', $_POST['ID']);
$this->db->update('table_name');  

Answer 6

Use utf8 encoding to store these values.

To avoid injections use mysql_real_escape_string() (or prepared statements).

To protect from XSS use htmlspecialchars.

How ever not sure what is the issue in ur case.. Probably try using some other sql keywords in the string and verify the solution.