Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming HTTP_RAW_POST_DATA is borking my serialized array...
HTTP_RAW_POST_DATA is borking my serialized array...
  • El Forum
    Guest
  •  
#1
07-10-2009, 03:25 AM

[eluser]Nathan Pitman (Nine Four)[/eluser]
Hi all, I have a CI project that I'm working on where we pass data to Code Igniter as a serialized array. As tou would expect this looks something like this:

Code:
O:8:"stdClass":4:{s:7:"surname";s:6:"Pitman";s:9:"firstName";s:6:"Nathan";s:11:"companyName";s:15:"Nine & Four LLC";s:5:"email";s:21:"[email protected]";}

However when I return that data in Code Igniter using:

Code:
$GLOBALS['HTTP_RAW_POST_DATA']

I end up with:

Code:
O:8:"stdClass":5:{s:5:"email";s:20:"[email protected]";s:8:"fullname";s:13:"Nathan_Pitman";s:7:"surname";s:6:"Pitman";s:9:"firstName";s:6:"Nathan";s:11:"companyName";s:15:"Nine & Four Ltd";}

This doesn't seem like correct behavior to me and I'm unsure as to whether this is something to do with Code Igniter or my server config. Any guidance would be greatly appreciated! Thanks in advance for your thoughts.
  • El Forum
    Guest
  •  
#2
07-10-2009, 08:06 AM

[eluser]TheFuzzy0ne[/eluser]
Do you have XSS filtering enabled? I'm not sure whether that's the cause of the problem, but for the meantime, you might be able to use [url="http://uk3.php.net/manual/en/function.html-entity-decode.php"]html_entity_decode()[/url] as a temporary fix.
  • El Forum
    Guest
  •  
#3
07-10-2009, 08:13 AM

[eluser]Nathan Pitman (Nine Four)[/eluser]
Hi ya, thanks for the response! Yes I do have XSS filtering enabled! Would that be a possible cause? If so is there some way to turn it off for a specific controller? Interestingly I've used the html_entity_decode function to work around this problem, however the nusoap service throws a wobbly when presented with an unencoded ampersand within a serialised array so I have to ereg_replace that with a 'tilde' character and then swap it back on the other side!!!

Joy!
  • El Forum
    Guest
  •  
#4
07-10-2009, 08:36 AM

[eluser]TheFuzzy0ne[/eluser]
I had a problem previously with global XSS filtering, and not being able to disable it for a single field, so I just disabled it, and modified all of my validation rules to xss_clean the input. In hindsight, it would have probably been much easier for me to have just added a little bit of code to ./system/application/config/config.php, that would disabled it for that controller/controller method, so I could just call it manually on the few inputs that did need xss_cleaning. Fortunately for me, it was a fairly quick process, but in future, I'd probably do something like this (untested):

./system/application/config/config.php
Code:
...

$config['global_xss_filtering'] = TRUE;

if (strncmp('/controller/method', $_SERVER['REQUEST_URI'], 18))
{
    $config['global_xss_filtering'] = FALSE;
}
...

Hope this helps. It's a bit hacky, but should work.
  • El Forum
    Guest
  •  
#5
07-10-2009, 08:43 AM

[eluser]Nathan Pitman (Nine Four)[/eluser]
Sorry, I am truly a muppet, what the '18' for?
  • El Forum
    Guest
  •  
#6
07-10-2009, 08:47 AM

[eluser]TheFuzzy0ne[/eluser]
http://www.php.net/manual/en/function.strncmp.php
  • El Forum
    Guest
  •  
#7
07-10-2009, 08:56 AM

[eluser]Nathan Pitman (Nine Four)[/eluser]
Learn something new each day. Thanks. Unfortunately it doesn't look like XSS Filtering is the culprit but thanks for the suggestion. Smile
  • El Forum
    Guest
  •  
#8
07-10-2009, 08:59 AM

[eluser]TheFuzzy0ne[/eluser]
OK, please could you explain a bit more about how everything works? Where does the input come from? How is it processed by you? What's it used for? Are you dumping it with var_dump, or outputting it into a form input?
  • El Forum
    Guest
  •  
#9
07-10-2009, 09:09 AM

[eluser]Nathan Pitman (Nine Four)[/eluser]
The POST is from a Flash application, I send a serialized array of data (the one I included in the first msg). In my CI controller I then have:

Code:
$HTTP_RAW_POST_DATA = isset($GLOBALS['HTTP_RAW_POST_DATA'])
      ? $GLOBALS['HTTP_RAW_POST_DATA'] : '';

This grabs that POST data and chucks it in a variable. I then pass this to the nusoap service. I know the problem is not nusoap though as even before I pass the data on, immediately after the line above if I output the content of $HHTP_RAW_POST_DATA to a log file all of the specialcharacters are converted into entities.

I guess part of my question is: is this normal??? I'm not sure if something is adrift with my server config, whether this is expected behaviour or whether Flash is turning all the characters into entities before the POST. :/
  • El Forum
    Guest
  •  
#10
07-10-2009, 09:25 AM

[eluser]TheFuzzy0ne[/eluser]
OK, I have to ask this, because I'm baffled. Why do you need to use $GLOBALS['HTTP_RAW_POST_DATA'] when you can use the $_POST array? that variable isn't even defined on my server. What am I missing?




Theme © iAndrew 2016 - Forum software by © MyBB