Home/ Questions/Q 8502753
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-11T01:34:23+00:00

I am passing a query string as part of my query string to a

  • 0

I am passing a query string as part of my query string to a PHP script.

Kinda like this:

$.post('/url', {
    id: postID
    filters: $('#form').serialize()
});

Then in my PHP, I use parse_str to read filters:

<?php
$postID = $this->input->post('id');
parse_str($this->input->post('filters'), $filters);

The problem is that parse_str is adding ;s randomly to the keys. I’m getting a result like this:

array(4) {
  ["users"]=>
  string(0) ""
  ["companies;"]=>
  string(0) ""
  ["pref;_123"]=>
  string(0) ""
  ["products;"]=>
  array(2) {
    [0]=>
    string(4) "1234"
    [1]=>
    string(4) "5678"
  }
}

Why is the server adding ;? I tried it on another server, and this doesn’t happen. It also doesn’t happen when testing via CLI.

EDIT: Seems this is not parse_str‘s fault, but some sort of XSS filter. $this->input->post('filters') (and even $_POST['filters']!) contains the ; characters. I checked, and jQuery is not adding them.

EDIT: I managed to “fix” this by doing:

$filters = array_combine(array_map(function($x){
    return str_replace(';', '', $x);
}, array_keys($filters)), array_values($filters));
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    This is caused by the config variable global_xss_filtering in Codeigniter. Set it to false to disable this behaviour.

    See also:
    xss_clean adds semicolon to anything with an &
    CodeIgniter adding semicolons

    • 0