Receiving "Disallowed Key Characters" error in CodeIgniter

Question

I am getting the following message: Disallowed Key Characters and the string producing the message seems to be

__utmt_~42

I am just trying to load the page and for the life of me can't figure out why this is happening. It started out of nowhere. How can I locate the source of this?

Answer 1

Though its a old post, its still relevant today as the message is cryptic and brings the website to its knees in no time.

In my case, in the test system, all of a sudden, started receiving this message for every page that gets an user input through GET/POST. Later found that to be the result of additional filter I added recently to the php.ini as below, which promised, to configure the default filter to behave exactly like htmlspecialchars().

[filter]
filter.default = full_special_chars
filter.default_flags = 0

On removing these filters from the php.ini file, the error was gone. Hope this helps somebody who encounters the same problem.

Answer 2

In case you have this problem with recaptcha of google (POST variable named g-recaptcha-response) in my case was solved adding a escaped hyphen at the end of the listed characters like this:

    if ( ! preg_match("/^[~a-z0-9:_\/-\|\-]+$/i", $str)){

to the file system/core/Input.php

Answer 3

Had a similar problem, so, for the sake of Google search results:

__utmt is a cookie. More specificly, a Google Analytics cookie. The ~Number part probably means it's a copy/duplicate. Think of it like the word.doc~1 files that are stored on your computer when working in a Word doc.

So first, check your Analytics code on the website, is there a duplicate somewhere? My problem was solved by altering this duplicated line:

var pageTracker = _gat._getTracker("UA-1234567-89");
var pageTracker = _gat._getTracker("UA-1234567-89");

Weird thing is that the file always had this duplicated line of code, for as far as my GIT goes back. It might be a change in the way analytics code handles cookies...

Oh, and the "Disallowed Key Characters" part. That's normally a good thing, protecting your CI app against evil.

Its in the system\core\Input.php file.

if ( ! preg_match("/^[a-z0-9:_\/-]+$/i", $str)) {
    // there is no ~ in this regex pattern
    // You could add it, but you probably end up breaking other stuff ("/^[\w:~\/]+$/i")
    exit('Disallowed Key Characters');
}

Answer 4

Follow the following steps

1. Search for function _clean_input_keys on /system/core/Input.php
2. update this exit(‘Disallowed Key Characters.’); to exit(‘Disallowed Key Characters.’ . $str);

Answer 5

Change on system/core/Input.php

if ( ! preg_match("/^[a-z0-9:_\/-]+$/i", $str))
                {
                      exit('Disallowed Key Characters.');
                }


to 

if ( ! preg_match("/^[a-z0-9:_\/-~]+$/i", $str))
                {
                      exit('Disallowed Key Characters.');
                }

Answer 6

I was just going to comment, but I do not have enough reputation, apparently. I had a similar problem this morning. It was being caused by a cookie (__utmt_~1). My site does create a cookie called __utmt but not with the single underscore, tilde and 1. I suspect that __utmt_~1 is a duplicate of the original cookie, but I am not sure how it was created. However - clearing my cookies stopped the Disallowed Key Characters message.