Thread

Hey,

We have a website where we need to pass URLs to a script via GET parameters. The GET parser seems to dislike “?.” Is there a way to get around this error message?

Minimalistic test URL: https://www.example.org/test?key=?val

Output: “Invalid GET Data”

The site is currently running EE 2.2.2.

EDIT: The forums are interpreting %-3-F after the ‘=’ sign. It should be a URL-encoded HEX value.

I’m quite sure EE doesn’t support GET variables on frontend, why don’t you use URL segment ?

I’m quite sure EE doesn’t support GET variables on frontend, why don’t you use URL segment ?

This website is a publicly-facing site with a network behind it. Not every page that is accessible is hosted on the same server that EE is running on—in fact, the specific page that brought this issue up is from a SharePoint portal that we are proxying through EE.

Before you strangle me for doing something so evil, I can load WordPress and even scripted SharePoint surveys correctly and all of the links work exactly like they should.

I have verified that replacing %-3-F with %-2-5-3-F in the URL address, and substituting it on the fly before we pass the file request on to our M$ internal server, does work. Unfortunately several of the URLs are generated modularly via JavaScript, so I am not able to override their URL scheme too far.

Merci pour le suggestion. 😊

Hello,

Thank you for using the ExpressionEngine forums!

Have you checked out the GET and POST Variables add-on? This plugin should work for what you are trying to accomplish.

I hope this helps, let me know if you need anything else or have any more questions.

Cheers,

Have you checked out the GET and POST Variables add-on? This plugin should work for what you are trying to accomplish.

Thanks, Shane, but I don’t think that is going to work around EE dying with the message “Invalid GET Data.” The message is being printed from EE_Input::filter_get_data() [system/expressionengine/core/EE_Input.php].

The particular test that is failing me is:

if (preg_match("#(;|\?|exec\s*\(|system\s*\(|passthru\s*\(|cmd\s*\(|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})#i", $val)) {

Where the \? is catching the url-encoded ‘?’ in my URL and promptly killing EE. Any thoughts of a good work around, or at least an explanation for what that check is looking for?

If this is an attempt to protect shell data, it is not checking for backtick operators. If it is for HTML, there is no angle bracket (<, >) filter. If it is for MySQL, it does not guard against quotes or—. As a PHP filter it would half-way work but again misses quotes.

So far my best bet appears to be modding the core. Thanks!

EDIT: Incidentally, the code for EE 2.4 is exactly the same as 2.2.2 (which is what we are running) for this.

Hello cmcnabb,

You are correct, the plugin will not solve this issue.

There is no way around this, aside from hacking the core, which we do not recommend.

If you do end up hacking the core files, note what you change for updates. Also note that your install will fall outside of support if you make changes to the core files.

I am sure this is not the answer you wanted, but if there is anything else I can help you with, please let me know.

Cheers,

Thanks, Shane. I have got a couple ideas for how to mod the core safely with regards to future updates. It is rare that I break something while modding, but I will be mindful of the warranty support for this particular website.

For anyone else who comes across this thread with the same issue, it is likely that the |\?| is going to become |<\?|\?>| on my install since it seems to me that the original intent was to prevent the insertion of PHP tags.

Hey cmcnabb,

Is there anything else I can help with?

Would you like me to move this over to community, you might get more eyes on it.

Cheers,

Sure, you can move this post. I don’t expect to get anything else out of the move but it may help others.

Thanks, Shane!

Hello cmcnabb,

I will do that then.

Thank you for using the ExpressionEngine forums!

Cheers,