Parentheses passed in url break codigniter query

StackOverflow https://stackoverflow.com/questions/22943382

Question

I have a string being passed via an URL to a Codeigniter driven site. The string is urlencoded before being passed, then urldecoded by the controller before being passed to a function in the model that searches for the string in a database table. I've read several other posts/articles on this, but none offer a viable (for me) solution to the issue. Here are some of the things I have read:

URL having parentheses not working in codeigniter with datamapper ORM

Parenthesis issue in codeigniter url

php rawurldecode doesn't produce same string passed to rawurlencode

http://qubitlogs.com/PHP/2013/01/24/parentheses-in-urls-not-working-codeigniter-datamapper-orm/#.U0MtAce7mxa

And here is what is happening:

An url encoded string gets passed via an url, like so:

http://www.awebsite.com/controllername/functionname/test%28string%29

The controller handles this like so:

public function functionname($string) {
    $this->load->model("codeigniter_model");
    $dstring = urldecode($string);
    $validString = $this->codeigniter_model->valid_string($dstring);        
    if (!$validString) { 
        $thiserror =  "<br>Error: Invalid String. (".$dstring.")"; 
        echo $thiserror; 
        exit;
    }
}

And the model:

function valid_string($string)
    {
    $sql = "select id from dbtable where dbfield = ?"; 
    $query = $this->db->query($sql, array($string));
    //Added this in to see what the query actually end up being
    echo $this->db->last_query();
        if ($query->num_rows() > 0) :
            return TRUE;
        else:
            return FALSE;       
        endif;
}

The echoed query is correct: select id from dbtable where dbfield = 'test(string)' and when run in Navicat returns the proper id. However - Codeigniter returns FALSE on the query.

I have also checked that the string in the query getting echoed does NOT contain HTML entities.

I have no control over the string being passed and really need Codeigniter to accept ( and ) as part of the string.

Thoughts, anyone?

EDIT: When the same string is passed to the Codeigniter controller via a post from a form, it works properly.

EDIT #2: Just tried creating the query using the Active Record method as suggested here: CAN'T ADD ANOTHER LINK SO : ellislab.com forums viewthread 162036

This:

$this->db->select('id');
$this->db->where('dbfield', "'".$string."'", FALSE);
$query = $this->db->get('dbfield');

does not work either.

EDIT #3: Thanks to Kyslik for suggesting using profiler. The string is apparently being html encoded after all: select id from users where string = 'test&#40;string&#41;' which, of course WOULD return false because of the HTML entities.

Unfortunately, adding code to remove those entities using both a regular query and an active record query:

$sql = "select id from dbtable where dbfield = ?"; $query = $this->db->query($sql, array(htmlspecialchars_decode($string)));

AND

$this->db->select('id'); $this->db->where('dbfield', "'".htmlspecialchars_decode ($string)."'", FALSE); $query = $this->db->get('dbtable');

still do not work.

Was it helpful?

Solution

The answer is that htmlspecialchars_decode() does NOT decode the entities for ( and ). If I add this code to the controller before passing the string (and AFTER url decoding):

$dstring = str_replace("&#40;", "(", $dstring); $dstring = str_replace("&#41;", ")", $dstring);

Then everything works as it should.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top