www.hkvforums.com

v2024
got Bad Request - Invalid URL then i try to get file in list or view page
but if i try to get existing file in edit page file is opening

1. OpenPanel on the local computer everything works.

2. After transferring to IIS, the links stop working.

   Bad Request - Invalid URL
   HTTP Error 400. The request URL is invalid.

3. if you disable "Encrypt File Path"
   everything works everywhere.

debug enabled
in /log folder nothing

if the file name consists of letters (scan.pdf) of the English alphabet, then the file is opened.
if filename conains russian symbols got error "HTTP Error 400. The request URL is invalid."

Wolf wrote:

if you disable "Encrypt File Path" everything works everywhere.

That probably means the encryption/decryption does not work the same on your IIS web server.

Make sure you use the same PHP version as your local PC, and make sure PHP ext-hash, ext-mbstring, and ext-openssl are enabled for the PHP of the IIS. You may use phpinfo() to check the PHP on your IIS server.

You should enable Debug (just follow the instruction in the docs) to check the detailed error message in the log file.

Make sure logging is properly set up so you can debug. Also make sure you have enabled error_reporting and display_errors in the php.ini (for your IIS) during debugging.

Note that if you have enabled "production" for Environment setting, you should set it back to "development" during debugging, you can modify the setting in the src\config.php manually to "ENVIRONMENT" => "development".

Another possibilitiy is that the non-alphanumerical file name are not saved properly. Make sure everything supports utf-8, including (but not limited to):

1. The charset of the project is utf-8,
2. The database/table/field supports utf-8. If MySQL, use utf8bm4. If MSSQL, use nvarchar, not varchar.

phpinfo:
hash support enabled
Multibyte Support enabled
OpenSSL support enabled

charset of the project is utf-8
MySQL, used utf8bm4

Wolf wrote:

if filename conains russian symbols got error "HTTP Error 400. The request URL is invalid."

1. What is the HTML with the URL? Inspect element in your browser and post the actual HTML.
2. Make sure the MySQL on your production server is also MySQL 8 which supports "utf8bm4" like your local MySQL database.
3. Check MySQL charset (for SET NAMES), make sure it is empty or "utf8bm4".
4. Export the table data to a utf-8 file and check if the russian characters in the file names are saved properly.
5. Are you sure the file with russian characters in file name are correctly uploaded on your IIS server? If the file name stored in the database does not match the actual physical file name, it won't work.

1. not open: <a target="_blank" data-extension="pdf" href="/mkd/api/file/contract/eyJpdiI6IjluWWc5R1pBM08xeXBwc3MvemJEdWc9PSIsInZhbHVlIjoiOTJ1T1B2c3F2eUVlTVFBRTBTbXB3ZytvK2VmbjNzaW83SG1uSUx4OFNzeFB3dWV3L3VUNDNKTFpybjJFQ2NXWFFSNVFFWko2dWdhZDFjY0hWT2FYQldHT2pEUWp0UHpXanpxOWlzenhucmZxUWlqcWtRSWw3TUd4Qy9Ldm90Tm4iLCJtYWMiOiIyMjdjOWY1NDcxMDA2ZWNmMzlkNTM4Y2M1NzU4MDM5ZWQwNDNlNzJjNDM5NDRlMzA2ZjFiYTQ2NjBlMjg2MTUwIiwidGFnIjoiIn0=?session=eyJpdiI6IlZPZHlwM0ZnM0pDZUZQNFJoV0dBUnc9PSIsInZhbHVlIjoidnB1Y1Z1TElRaDFuZUcrUzJld1ByZG5XcGloZkhVOXJ4dEhpeXFmUHB0MD0iLCJtYWMiOiI0ZWRhZWNiYzQ0MTI0NzAwZWVkMmFlMzE4ODQ1NGU4MjU4YTQyYTY3M2YxYWYxNDgxNDc3ZTdlMjVmNDA4NWIwIiwidGFnIjoiIn0=&amp;csrf_name=csrf65eabd886fdbe&amp;csrf_value=XAwM4G9sxBPBnmwu88/yxjAIKsOwkh217fSL5RL9LxM+amqEDAmhcqWoXhnG98KlA20booSiLtPdxL7VK5lNKw==">RUSSIAN SYMBOLS.pdf</a>

   open good: <a target="_blank" data-extension="pdf" href="/mkd/api/file/contract/eyJpdiI6InR2MC9FWS9PMkpQSFBGQWp1VUh4U3c9PSIsInZhbHVlIjoidG9QYzd1SEFGUlhYRjRpYWR6SlVKaFpnMUhHemd0am5rQnFwTDV0MGlkS2lLUER3bWs4TGgxRE11VkxQblY4eSIsIm1hYyI6ImE1MGI4NzE1YzYyNjkyNmUwZTYzOThhNWE4YWM3YWZlOGVlMTU4YjVkMDU1N2M3NTg5ZTRlOWYwOWEyNzM2NjUiLCJ0YWciOiIifQ==?session=eyJpdiI6InlUbUF3OS94TnZURGxJZnZWdHVabFE9PSIsInZhbHVlIjoiS2RQQVdzd0dTZWJJR0U1ZDA4YXpRMmh6Ny9nb1d5VWN3bmhkOVRHVkE5ND0iLCJtYWMiOiI3YzhhNWQxOTNjODcyZDgxZDg4NGVmZjU2YTc0OGZhM2VmZjc2MDM5OTJkNzUxZTdlNTZmZTRjYTI1NDBkMmEwIiwidGFnIjoiIn0=&amp;csrf_name=csrf65eac41f4e344&amp;csrf_value=UxKYNQqNlp/eAzhNDna8Q4iUbtP5ykYDKXBf9IO1hRRlIf1UO72u/ukzCixqEIlz7vJc65v5IDRPR2bFuobkcQ==">Touareg7p.pdf</a>

   i can't post message with russian letters change to "russian symbols".

2. MySql version 8.1.0

3. SET NAMES in Advanced is empty.
   4-5. Filenames stored properly. exact match with file name.

You may write some code in a page (you need to use the PHPMaker config and functions) to test what could not be decrypted successfully, e.g.

echo Decrypt(Encrypt("Your russian characters"));
echo Decrypt($sessionId); // where $sessionId is the "session" parameter in above URL
echo Decrypt($fn, $sessionId . Config("ENCRYPTION_KEY")); // where $fn is the encrypted string after "contract/" and before "?".

Encrypt-Decrypt correct Russian filename.

sessionId = eyJpdiI6ImQxejlHNTZJaWR1TzZhZHdXbjlhSkE9PSIsInZhbHVlIjoiSWJUakp3QU1rRUZPZ1VpRWlBYzl6Q016eHc4bDcvalh6V1d1S2gwbTdWND0iLCJtYWMiOiI1OGNkZTA1NjkyNmE3ZTk5ZTQyZGE5NzM4ZTMwZmI4ZWJlYTk3MWJkYjc4ZGZjNWY5NDliNjU1YzQzMTNiNDc5IiwidGFnIjoiIn0=

Decrypt($sessionId) = r9r9oart70m889qvf2kpbdkm34

fn = eyJpdiI6IjluWWc5R1pBM08xeXBwc3MvemJEdWc9PSIsInZhbHVlIjoiOTJ1T1B2c3F2eUVlTVFBRTBTbXB3ZytvK2VmbjNzaW83SG1uSUx4OFNzeFB3dWV3L3VUNDNKTFpybjJFQ2NXWFFSNVFFWko2dWdhZDFjY0hWT2FYQldHT2pEUWp0UHpXanpxOWlzenhucmZxUWlqcWtRSWw3TUd4Qy9Ldm90Tm4iLCJtYWMiOiIyMjdjOWY1NDcxMDA2ZWNmMzlkNTM4Y2M1NzU4MDM5ZWQwNDNlNzJjNDM5NDRlMzA2ZjFiYTQ2NjBlMjg2MTUwIiwidGFnIjoiIn0=

Decrypt($fn, $sessionId . Config("ENCRYPTION_KEY")) = eyJpdiI6IjluWWc5R1pBM08xeXBwc3MvemJEdWc9PSIsInZhbHVlIjoiOTJ1T1B2c3F2eUVlTVFBRTBTbXB3ZytvK2VmbjNzaW83SG1uSUx4OFNzeFB3dWV3L3VUNDNKTFpybjJFQ2NXWFFSNVFFWko2dWdhZDFjY0hWT2FYQldHT2pEUWp0UHpXanpxOWlzenhucmZxUWlqcWtRSWw3TUd4Qy9Ldm90Tm4iLCJtYWMiOiIyMjdjOWY1NDcxMDA2ZWNmMzlkNTM4Y2M1NzU4MDM5ZWQwNDNlNzJjNDM5NDRlMzA2ZjFiYTQ2NjBlMjg2MTUwIiwidGFnIjoiIn0=

The file name cannot be decrypted. What is your Config("ENCRYPTION_KEY")? You can find it in src/config.php.

Make sure it is not empty. If you see the error "Error: Missing encryption key. Please click Tools -> Advanced Settings and set 'Encryption key'." during generation, do not ignore it. Follow the instruction to set it.

Session depends on cookie. Double check your cookie settings in advanced settings. If you enable Cookie Secure, make sure your site uses HTTPS, not HTTP. If you set Cookie SameSite as "None", you must enable Cookie Secure.

key = MrFk61aXk]fGod25qmS7e3nZ4mTk-pK0

I didn't enable Cookie Secure.
my site uses HTTPS
Cookie SameSite - Lax

So it seems that the session has been changed. You may compare the session id (i.e. session_id()) of the page and the decrypted session id (i.e. Decrypt($sessionId)) in the URL.

sessionId = eyJpdiI6ImExVGZUZ3BSaG9KakcvM3ZpczhjeUE9PSIsInZhbHVlIjoiK0ZEamtRMHdLS0QreCtxOHR6UGJCMk1jYVBzb1BEZjlJNDlVU3FBWTVTQT0iLCJtYWMiOiIwY2E4MDIyMjdlOGQwYjk0YThkNjE4Njc4NmQ0MzQzYWJjNTljMmY0MGFiYmZiNTFhMjMxZmQwOGZiNTlhYWFmIiwidGFnIjoiIn0=
Decrypt($sessionId): r9r9oart70m889qvf2kpbdkm34
fn = JpdiI6InhHRXFtekJ6L3Q0UGp4UjFtVXgzRlE9PSIsInZhbHVlIjoiQTlpVkFweWROYWVNdWJZZVFucDE2VUQ0RkdqNTNWT29ZTlJKYkVNMm8rdENzOUErck1sd2RYTk5QWmtUd1RNWTNuSUdQeXA0TTBFT2l6L2laZks1M2dyY2hIM0J0cjE1RXRaWHFPY0hzam5IV1dHWUtkbWppTzNBZTBwbDU1V2JySEJkOVFlNzFnRjFyT0JrNVE2R00yaWx6dGYyMHA4WmwyUFFOTitWUERJPSIsIm1hYyI6IjIzNTI4ZmJmNDdhZjcxNDlmMGI2NWMxYjM2ZDVmY2QwMTY0OWRhMGYwNzUzYzRhNTI0YTNlNjdmNGNiYjQ1NTUiLCJ0YWciOiIifQ==
Decrypt($fn, $sessionId . Config("ENCRYPTION_KEY")): JpdiI6InhHRXFtekJ6L3Q0UGp4UjFtVXgzRlE9PSIsInZhbHVlIjoiQTlpVkFweWROYWVNdWJZZVFucDE2VUQ0RkdqNTNWT29ZTlJKYkVNMm8rdENzOUErck1sd2RYTk5QWmtUd1RNWTNuSUdQeXA0TTBFT2l6L2laZks1M2dyY2hIM0J0cjE1RXRaWHFPY0hzam5IV1dHWUtkbWppTzNBZTBwbDU1V2JySEJkOVFlNzFnRjFyT0JrNVE2R00yaWx6dGYyMHA4WmwyUFFOTitWUERJPSIsIm1hYyI6IjIzNTI4ZmJmNDdhZjcxNDlmMGI2NWMxYjM2ZDVmY2QwMTY0OWRhMGYwNzUzYzRhNTI0YTNlNjdmNGNiYjQ1NTUiLCJ0YWciOiIifQ==
key = MrFk61aXk]fGod25qmS7e3nZ4mTk-pK0
session_id(): r9r9oart70m889qvf2kpbdkm34
Decrypt($fn): JpdiI6InhHRXFtekJ6L3Q0UGp4UjFtVXgzRlE9PSIsInZhbHVlIjoiQTlpVkFweWROYWVNdWJZZVFucDE2VUQ0RkdqNTNWT29ZTlJKYkVNMm8rdENzOUErck1sd2RYTk5QWmtUd1RNWTNuSUdQeXA0TTBFT2l6L2laZks1M2dyY2hIM0J0cjE1RXRaWHFPY0hzam5IV1dHWUtkbWppTzNBZTBwbDU1V2JySEJkOVFlNzFnRjFyT0JrNVE2R00yaWx6dGYyMHA4WmwyUFFOTitWUERJPSIsIm1hYyI6IjIzNTI4ZmJmNDdhZjcxNDlmMGI2NWMxYjM2ZDVmY2QwMTY0OWRhMGYwNzUzYzRhNTI0YTNlNjdmNGNiYjQ1NTUiLCJ0YWciOiIifQ==

So session_id() equals Decrypt($sessionId). Everything is correct. The only explanation might be what you didn't show so far, the Russian characters, although you said you can encrypt/decrypt correctly. You may post an example for testing as follows:

1. Export your table to a .sql file (with CREATE TABLE statement)
2. Delete all records (INSERT statements) except one (INSERT statement) for testing. The record should contains the file name with Russian characters.

The problem is not related to PHP or Russian characters, it is due to IIS settings for the URL, when the file name is long, the URL with encrypted file path is too long for IIS with default settings, you may read the follows:

• Troubleshooting HTTP 400 errors in IIS
• Http.sys registry settings for Windows, note that:
  Changes that are made to the registry will not take effect until you restart the HTTP service. Additionally, you may have to restart any related IIS services.
  See the last section of above article.

You need to increase at least the UrlSegmentMaxLength registry setting.

Thanks s lot!
I think this will be useful to many, please add it to the FAQ or installation instructions.

PowerShell script:
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Services\HTTP\Parameters -Name UrlSegmentMaxLength -Value 2000 -Type "Dword"