问题
I am passing a query string as part of my query string to a PHP script.
Kinda like this:
$.post('/url', {
id: postID
filters: $('#form').serialize()
});
Then in my PHP, I use parse_str to read filters:
<?php
$postID = $this->input->post('id');
parse_str($this->input->post('filters'), $filters);
The problem is that parse_str is adding ;s randomly to the keys. I'm getting a result like this:
array(4) {
["users"]=>
string(0) ""
["companies;"]=>
string(0) ""
["pref;_123"]=>
string(0) ""
["products;"]=>
array(2) {
[0]=>
string(4) "1234"
[1]=>
string(4) "5678"
}
}
Why is the server adding ;? I tried it on another server, and this doesn't happen. It also doesn't happen when testing via CLI.
EDIT: Seems this is not parse_str's fault, but some sort of XSS filter. $this->input->post('filters') (and even $_POST['filters']!) contains the ; characters. I checked, and jQuery is not adding them.
EDIT: I managed to "fix" this by doing:
$filters = array_combine(array_map(function($x){
return str_replace(';', '', $x);
}, array_keys($filters)), array_values($filters));
回答1:
This is caused by the config variable global_xss_filtering in Codeigniter. Set it to false to disable this behaviour.
See also:
xss_clean adds semicolon to anything with an &
CodeIgniter adding semicolons
回答2:
I would first do a var_dump of the $filters to see what is coming in.
parse_str will parse the string you send it like so:
$string = "user=&companies=StackOverflow";
parse_str($string, $filters);
echo $filters['user']; // empty string
echo $filters['companies']; // StackOverflow
My best guess is that what is being sent from iQuery's serialize (inclusive of the data) is not properly serialized/escaped probably so parse_str can easily split the string with the & as the separator for key/value of each parameter.
Reading the manuals you are definitely doing things correctly there but there might be something lurking in your data that throws the parse_str off. I would also look for illegal characters in the sting posted by jQuery.
来源:https://stackoverflow.com/questions/12305802/parse-str-randomly-adding-semicolons-to-keys