What can happen if i use a loose URL chars restriction? - Printable Version +- CodeIgniter Forums (https://forum.codeigniter.com) +-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20) +--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23) +--- Thread: What can happen if i use a loose URL chars restriction? (/showthread.php?tid=10947) |
What can happen if i use a loose URL chars restriction? - El Forum - 08-19-2008 [eluser]plainas[/eluser] Lets say I allow every char and escape them whenever i put userdata in an SQL query, etc. What can possibly happen? Can anybody give me an example to illustrate this? What can happen if i use a loose URL chars restriction? - El Forum - 08-19-2008 [eluser]Rick Jolly[/eluser] You just need to be concerned if you are echoing anything from your url. For example, you wouldn't want to print this to the browser: "controller/method/<scribt>alert('may I steal your cookie?')</scribt>". As long as you run the uri or it's segments through htmlspecialchars(), then you won't have a problem. Kohana has actually done away with the allowed url characters restriction. What can happen if i use a loose URL chars restriction? - El Forum - 08-20-2008 [eluser]xwero[/eluser] [quote author="Rick Jolly" date="1219202814"]Kohana has actually done away with the allowed url characters restriction.[/quote] in CI you can do Code: $config['permitted_uri_chars'] = ''; What can happen if i use a loose URL chars restriction? - El Forum - 08-20-2008 [eluser]plainas[/eluser] So lets say I want to allow users to create meaningful URLs, is this the correct way to output them? Code: $urlchunk = "/some?crazy!stuff;put;here\$byTheuser"; This is quite confusing, I what could happen if I would skip urlenconde call? Just out of curiosity, if I allow the forward slash, i wonder if it will be picked as a parameter or if it will still work as the separator. |