+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: What can happen if i use a loose URL chars restriction? (/showthread.php?tid=10947)
What can happen if i use a loose URL chars restriction? - El Forum - 08-19-2008
[eluser]plainas[/eluser]
Lets say I allow every char and escape them whenever i put userdata in an SQL query, etc. What can possibly happen?
Can anybody give me an example to illustrate this?
What can happen if i use a loose URL chars restriction? - El Forum - 08-19-2008
[eluser]Rick Jolly[/eluser]
You just need to be concerned if you are echoing anything from your url. For example, you wouldn't want to print this to the browser: "controller/method/<scribt>alert('may I steal your cookie?')</scribt>". As long as you run the uri or it's segments through htmlspecialchars(), then you won't have a problem.
Kohana has actually done away with the allowed url characters restriction.
What can happen if i use a loose URL chars restriction? - El Forum - 08-20-2008
[eluser]xwero[/eluser]
[quote author="Rick Jolly" date="1219202814"]Kohana has actually done away with the allowed url characters restriction.[/quote]
in CI you can do
Code:
$config['permitted_uri_chars'] = '';What can happen if i use a loose URL chars restriction? - El Forum - 08-20-2008
[eluser]plainas[/eluser]
So lets say I want to allow users to create meaningful URLs, is this the correct way to output them?
Code:
$urlchunk = "/some?crazy!stuff;put;here\$byTheuser";
$urlchunk = urlencode($urlchunk); # Is this necessary?
echo htmlspecialchars(base_url().$urlchunk);This is quite confusing, I what could happen if I would skip urlenconde call?
Just out of curiosity, if I allow the forward slash, i wonder if it will be picked as a parameter or if it will still work as the separator.