Do I need escaping url on each method?

Do I need escaping url on each method? - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forum-5.html)
+--- Forum: General Help (https://forum.codeigniter.com/forum-24.html)
+--- Thread: Do I need escaping url on each method? (/thread-71788.html)

Do I need escaping url on each method? - wishmaster - 09-24-2018

Hi, guys.

I have class page with methods like this:
index() (uses list() method inside)
add() (uses form() method inside)
edit() (uses form() method inside)
delete() (uses form() method inside)
list()
form()

I have field filter_name for filtering pages in index() method with this script

Code:
$('#button-filter').on('click', function() {

        var url = '<?php echo base_url('page/index'); ?>';

        var filter_name = $('input[name=\'filter_name\']').val();

        if (filter_name) {

                url += '/filter_name/' + fixedEncodeURIComponent(filter_name);

        }

        location = url;

});

Then links are created with filter_name section:

Code:
private function list() {

..... 

                // url for links add/delete/etc

                $url = array();

                $urls = array('filter_name', 'sort', 'order', 'per_page');

                foreach ($urls as $u1) {

                    if (isset($this->uris[$u1])) {

                        $url[$u1] = $this->uris[$u1];

                    }

                }

                $data['action']['add'] = base_url('page/add/' . $this->uri->assoc_to_uri($url));

                $data['action']['edit'] = base_url('page/edit/' . (empty($this->uri->assoc_to_uri($url)) ? '' : $this->uri->assoc_to_uri($url) . '/') . 'page_id/');

                $data['action']['copy'] = base_url('page/copy/' . $this->uri->assoc_to_uri($url));

                $data['action']['delete'] = base_url('page/delete/' . $this->uri->assoc_to_uri($url));

                // Here we must decode encoded name

                $data['filter_name'] = rawurldecode($this->uris['filter_name'] ?? '');

....

}

So, my question. Is this safe in security point of view? Or I must do something like this

Code:
if (isset($this->uris[$u1])) {

                        $url[$u1] = rawurlencode($this->uris[$u1]);

                    }

But this gets me problem when click on add button and then return to the original list page.

Thanks.

RE: Do I need escaping url on each method? - jreklund - 09-24-2018

$this->uris aren't a standard array. Please post how you populate it.

RE: Do I need escaping url on each method? - wishmaster - 09-24-2018

I use extended controller scheme.

Code:
class MY_Controller extends CI_Controller {

       protected $uris = array();

       function __construct() {

           parent::__construct();

           $this->uris = $this->uri->uri_to_assoc(3);

        }

.....

}

I use the next uri scheme:

Code:
http://mysite.com/admin/page/index/filter_name/foo/per_page/5/baz/bar

RE: Do I need escaping url on each method? - jreklund - 09-24-2018

What kind of data are you passing thru the url and how do you use $data['filter_name'] afterwards?

Codeigniter will only accept characters inside $config['permitted_uri_chars'] in the url, but as you convert everything in the url. It won't look for any illegal characters as there aren't any.