CodeIgniter 2.0 input library character issue

Question

I am using codeigniter in an app. There is a form. In the textarea element, I wrote something including

%Features%

However, when I want to echo this by $this->input->post(key), I get something like �atures%

The '%Fe' are vanished.

In main index.php file of CI, I tried var_dump($_POST) and I see the above word is fully ok. but when I am fetching it with the input library (xss filtering is on) I get the problem.

When the XSS filtering is off, it appears ok initially. however, if I store it in database and show next time, I see same problem (even the xss filtering is off).

Answer 1

%Fe happens to look like a URL-encoded sequence %FE, representing character 254. It's being munched into the Unicode "I have no idea what that sequence means" glyph, �.

It's clear that the "XSS filter" is being over-zealous when decoding the field on submission.

It's also very likely that a URL-decode is being run again at some point later in the process, when you output the result from the database. Check the database to make sure that the actual string is being represented properly.

Answer 2

First: Escape the variables before storing them into db. % has special meaning in SQL.

Second: % also has special meaning in URLs eg. %20 is %FE will map to some character which will be decoded by input()