+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5)
+--- Forum: General Help (https://forum.codeigniter.com/forumdisplay.php?fid=24)
+--- Thread: Do I need escaping url on each method? (/showthread.php?tid=71788)
Do I need escaping url on each method? - wishmaster - 09-24-2018
Hi, guys.
I have class page with methods like this:
index() (uses list() method inside)
add() (uses form() method inside)
edit() (uses form() method inside)
delete() (uses form() method inside)
list()
form()
I have field filter_name for filtering pages in index() method with this script
Code:
$('#button-filter').on('click', function() {
var url = '<?php echo base_url('page/index'); ?>';
var filter_name = $('input[name=\'filter_name\']').val();
if (filter_name) {
url += '/filter_name/' + fixedEncodeURIComponent(filter_name);
}
location = url;
});Then links are created with filter_name section:
Code:
private function list() {
.....
// url for links add/delete/etc
$url = array();
$urls = array('filter_name', 'sort', 'order', 'per_page');
foreach ($urls as $u1) {
if (isset($this->uris[$u1])) {
$url[$u1] = $this->uris[$u1];
}
}
$data['action']['add'] = base_url('page/add/' . $this->uri->assoc_to_uri($url));
$data['action']['edit'] = base_url('page/edit/' . (empty($this->uri->assoc_to_uri($url)) ? '' : $this->uri->assoc_to_uri($url) . '/') . 'page_id/');
$data['action']['copy'] = base_url('page/copy/' . $this->uri->assoc_to_uri($url));
$data['action']['delete'] = base_url('page/delete/' . $this->uri->assoc_to_uri($url));
// Here we must decode encoded name
$data['filter_name'] = rawurldecode($this->uris['filter_name'] ?? '');
....
}So, my question. Is this safe in security point of view? Or I must do something like this
Code:
if (isset($this->uris[$u1])) {
$url[$u1] = rawurlencode($this->uris[$u1]);
}But this gets me problem when click on add button and then return to the original list page.
Thanks.
RE: Do I need escaping url on each method? - jreklund - 09-24-2018
$this->uris aren't a standard array. Please post how you populate it.
RE: Do I need escaping url on each method? - wishmaster - 09-24-2018
I use extended controller scheme.
Code:
class MY_Controller extends CI_Controller {
protected $uris = array();
function __construct() {
parent::__construct();
$this->uris = $this->uri->uri_to_assoc(3);
}
.....
}I use the next uri scheme:
Code:
http://mysite.com/admin/page/index/filter_name/foo/per_page/5/baz/barRE: Do I need escaping url on each method? - jreklund - 09-24-2018
What kind of data are you passing thru the url and how do you use $data['filter_name'] afterwards?
Codeigniter will only accept characters inside $config['permitted_uri_chars'] in the url, but as you convert everything in the url. It won't look for any illegal characters as there aren't any.