CodeIgniter Forums
Disallowed characters in URL and search - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forum-20.html)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forum-23.html)
+--- Thread: Disallowed characters in URL and search (/thread-32502.html)



Disallowed characters in URL and search - El Forum - 07-26-2010

[eluser]victorche[/eluser]
Hello again ... I am facing a big problem with my future site logic. The problem is really simple. I really need the search query (keyword) to be in the link. This way users can send each other url-s with the search results, like
example.com/search/keywords_here
One other thing ... I really want to use opensearch (for info, check here: http://www.opensearch.org/)

And I am doing something like this (note, I am using urlencode):
Code:
if ($this->input->post('search'))
        {
            $search = $this->input->post('search');
            redirect('search/'.urlencode($search);
            return;
        }
The problem is, if someone puts disallowed characters, it shows error. First, I don't know what is the problem for just hitting on the keyboard and adding ">" symbol. I mean is there something connected with the security? I guess so, but anyway all the queries are checked and secured anyway. And if i have any worries about it, at least i want to be able to change this default CI error ... With something which suits my design.

To forbidden all is not always needed. And I really need more freedom here. Besides, this CI error is just unexeptable for my site design and idea.

Any help and ideas?


Disallowed characters in URL and search - El Forum - 07-26-2010

[eluser]Buso[/eluser]
http://ellislab.com/forums/viewthread/160377/

If you need to whitelist more characters you can do that in config.php.

It is about security as you said, but you can change almost anything in CI.


Disallowed characters in URL and search - El Forum - 07-26-2010

[eluser]victorche[/eluser]
[quote author="Buso" date="1280146169"]http://ellislab.com/forums/viewthread/160377/

If you need to whitelist more characters you can do that in config.php.

It is about security as you said, but you can change almost anything in CI.[/quote]

Thanks, Buso ... This helped a little. I have 2 different questions. The first one:
As I am a newbie in programming, the solution you are giving there seems elegant, but can you give me a hint (short example) what should i do next in MY_Router? I mean this part of your answer "Then you let the Router class handle that as a 404". Can you please give some more info about it?
The second question is more about the logic. If you want to search for "iphone" and by mistake you type "iphone>", do you think it is normal to lead to 404?
Because the user who asks in the other topic has another problem. Not like mine. He needs after submitting a disallowed character - 404 page. I don't think this is good for my case. I can't even think of a website, which has a search function and this search leads to 404 in any case Sad
Maybe i will prefer just to search for everything, or ... if it is not possible, just to have an error message, informing for the not allowed characters (but not the default CI one).

Sounds too complicated, i know. But as i said, i don't think there is a site, which gives 404 or "disallowed characters" as a result for search Sad


Disallowed characters in URL and search - El Forum - 07-26-2010

[eluser]Buso[/eluser]
[quote author="victorche" date="1280150607"][quote author="Buso" date="1280146169"]http://ellislab.com/forums/viewthread/160377/

If you need to whitelist more characters you can do that in config.php.

It is about security as you said, but you can change almost anything in CI.[/quote]

Thanks, Buso ... This helped a little. I have 2 different questions. The first one:
As I am a newbie in programming, the solution you are giving there seems elegant, but can you give me a hint (short example) what should i do next in MY_Router? I mean this part of your answer "Then you let the Router class handle that as a 404". Can you please give some more info about it?
The second question is more about the logic. If you want to search for "iphone" and by mistake you type "iphone>", do you think it is normal to lead to 404?
Because the user who asks in the other topic has another problem. Not like mine. He needs after submitting a disallowed character - 404 page. I don't think this is good for my case. I can't even think of a website, which has a search function and this search leads to 404 in any case Sad
Maybe i will prefer just to search for everything, or ... if it is not possible, just to have an error message, informing for the not allowed characters (but not the default CI one).

Sounds too complicated, i know. But as i said, i don't think there is a site, which gives 404 or "disallowed characters" as a result for search Sad[/quote]
You need to validate the user input before using it in your application (you can use codeigniter's form validation)
Then if a user writes iphone>, you just tell him which characters are allowed with a nice error message, and let him try again.
If you still want your users to be able to use iphone> as a search input, you can remove strange chars before using it in a URI, or add '>' to the allowed chars list. Or don't use it in a URI and send it via post.

About MY_URI, once you installed it, wrong URIs will automatically show the 404 error message (which is handled by the router class and the exceptions class). But you still need to have a MY_Router and MY_Exceptions class (I think) if you want the 404 message to be customized. Otherwise the CI's default 404 message will be shown (which works fine for SEO, but maybe not for users)


Disallowed characters in URL and search - El Forum - 07-26-2010

[eluser]victorche[/eluser]
Really thanks! I am already using MY_Router, as this tutorial here:

http://maestric.com/doc/php/codeigniter_404

Because I needed my own, custom 404 pages. So you mean only adding your gentle MY_URI will automatically make the magic "wrong character -> 404 page" ? If that is the case, sounds elegant. Too bad I can check it later, because now I am at work.

Sure, I will validate the input, but I don't think it will be nice to remove the disallowed characters. If a ">" character is there, maybe the user wants it to be there Smile

Not using URI... Not a good idea! Will loose the option of custom searches to be send and ... some tags in posts to lead to mysite.com/search/some_tag_here
Will also loose the chance of using Opensearch

Ah, so simple thing is so difficult because of these characters Sad


Disallowed characters in URL and search - El Forum - 07-26-2010

[eluser]victorche[/eluser]
Ahh, update: this thing is really buggy Sad

Forbidden characters, Ok ... but why any cyrillic letter is "disallowed" also? You can not damage a site by entering "ажаогиуигт"
I tried to add in the allowed characters "а-я", which is like "a-z", but for the cyrillic alphabet. The result is... In some cases (letters), everything is Ok. But in same cases "The URI you submitted has disallowed characters". It likes the letter "я", while it hates letter "щ".

Sorry, but this is a joke. Unacceptable for a serious project like CI ...


Disallowed characters in URL and search - El Forum - 07-26-2010

[eluser]Buso[/eluser]
It is called whitelisting. It is always safer to set what is allowed, than what it isn't.

When a site of yours get hacked, you will understand how imaginative a hacker can be

Anyway, as you should have noticed already, you can override almost any behavior in CI.

Just extend the class, overload the method, and make it do what you want to suit your needs.

But if you think this is a joke then maybe you should find another framework.


Disallowed characters in URL and search - El Forum - 08-08-2010

[eluser]victorche[/eluser]
These days I will work with this search. So ... My final question about this is simple:
How can I avoid this "disallowed characters" feature at all?

I thought and thought about it. Any search, leading to a 404 page is just not acceptable for me. The search string will be validated anyway, so I really want to avoid this whole feature. I want anything which user types, to go in the url. I thought about adding stuff in allowed chars list. But this seems impossible. I would like to add all cyrilic letters, latin letters like ö,ü ... Seems like a really long list.

So simple question: how can I avoid this thing at all?