Error message by selector '%'

[kreativmonkey]

Hi,

scince two weeks i have start my live webpage with processwire. Now i get the following error message on the administration e-mail for error messages:

Error: Exception: Unknown Selector operator: '%' -- was your selector value properly escaped? (in ./produktiv/wire/core/Selectors.php line 281)

That error is called by the guest user and i don't know what this user do! I think this user is a bot because the error triggers day and night.

Now i would like to protect the page, that this error message never come back. But i don't know how i can start to find out what the bot calls!

The only idea that i have is the $input->urlSegment but when i type in http://www.url.example/% i get the message "Bad Request" and nothing happends on the error log!

Or this part of Code:

/***************************
* Redirect the old URLs to the new Position
* Use the oldurl field on the Post template
**************************/
$thisurl = $sanitizer->url("http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]");
$redirect = $pages->get("template=post, oldurl=$thisurl");
if(!$redirect instanceof NullPage){
    $session->redirect($redirect->url);
}

Can anyone help me?

[Adam Kiss]

This happens when "your selector isn't properly escaped", in this case, it seems that $thisurl might be empty.

$redirect = $pages->get("template=post, oldurl=$thisurl");
// if $thisurl is empty, the selector is "template=post, oldurl=", which is wrong
// solution: add check for $thisurl

if ($thisurl){
  $redirect = $pages->get("template=post, oldurl=$thisurl");
  
  if(!$redirect instanceof NullPage){
    $session->redirect($redirect->url);
  }
}

[kreativmonkey]

Hi Adam Kiss,

thank you for the replay but this didn't solve the problem. I get every day 10 or more massages from this error selector '' or selector '%'. I can't locate the problem in my code....

[Wanze]

Anything you put into a selector must be sanitized with $sanitizer->selectorValue(), you are using $sanitizer->url() which is not enough. An URL can for example contain the problematic "%" character, which is a reserved in a selector string.

Edited September 15, 2015 by Wanze
Corrections

[LostKobrakai]

…, you are using $sanitizer->url() which is not correct in this context.

To soften that statement a bit: $sanitizer->url() is still needed to sanitize input to a valid url, but to use the url as part of a selector you need to also use $sanitizer->selectorValue() as well.

[kreativmonkey]

Thank you guys!!! That solve my issue!!