CodeIgniter: Disallowed Key Characters

Question

I have the same problem as the people below, but the solutions offered for them does not work for me.

Disallowed key characters error message in Codeigniter (v2)

I get "Disallowed Key Characters" when I submit a form.

I have CSRF protection enabled, and I am using arrays in my form field names (i.e., search[] as the name as there are multiple selection dropdown options). I have a feeling it is the "[]" in the form name that bothers this form.

I have followed all advice I could see in the posts above.

I disabled CSRF temporarily,
I disabled XSS temporarily,
I edited $config['permitted_uri_chars'] and
I edited Input.php where this message is generated.

Anybody has any additional ideas of what could cause this problem on form submission?

Thanks!

score 3 · Answer 1 · answered May 23 '17 at 19:18

Like my answer here — you just need to update the regex in MY_Input->_clean_input_keys() to allow more characters (eg escaped JSON, or escaped HTML/XML)

Allow just 'English': !preg_match("/^[a-z0-9\:\;\.\,\?\!\@\#\$%\^\*\"\~\'+=\\\ &_\/\.\[\]-\}\{]+$/iu", $str)

Allow Chinese Characters: !preg_match("/^[a-z0-9\x{4e00}-\x{9fa5}\:\;\.\,\?\!\@\#\$%\^\*\"\~\'+=\\\ &_\/\.\[\]-\}\{]+$/iu", $str)

My full working function looks like this:

  public function _clean_input_keys($str) {
    // NOTE: \x{4e00}-\x{9fa5} = allow chinese characters
    // NOTE: 'i' — case insensitive
    // NOTE: 'u' — UTF-8 mode
    if (!preg_match("/^[a-z0-9\x{4e00}-\x{9fa5}\:\;\.\,\?\!\@\#\$%\^\*\"\~\'+=\\\ &_\/\.\[\]-\}\{]+$/iu", $str)) {
      /**
      * Check for Development enviroment - Non-descriptive
      * error so show me the string that caused the problem
      */
      if (is_env_dev()) {
        var_dump($str);
      }

      exit('Disallowed Key Characters.');
    }

    // Clean UTF-8 if supported
    if (UTF8_ENABLED === TRUE) {
      return $this->uni->clean_string($str);
    }

    return $str;
  }

my_helper.php

if (!function_exists('is_env_dev')) {
  function is_env_dev() {
    return (
        defined('ENVIRONMENT') && strtolower(ENVIRONMENT) == 'development' ||
        defined('ENVIRONMENT') && strtolower(ENVIRONMENT) == 'testing'
      );
  }
}

score 0 · Accepted Answer · edited May 23 '17 at 10:32

Thanks, but I found a comment hidden way below (right at the bottom at the time of this writing) on another post here: CodeIgniter Disallowed Key Characters

The comment suggested that I add $str to the exit() comment to test. This indicated that I had a missing double quote in my form fields. It is a very complex form built up dynamically, with 300 lines of code, so easy to miss.

Hope this answer (and the comment that inspired it) helps someone else.

Validating the source of the output could prevent problems such as this one :-)

Regards

CodeIgniter: Disallowed Key Characters

2 Answers2