problems passing base64_encoded value |
I'm trying to pass a password reset token as part of a CI4 url --it's 32 random bytes encoded using base64_encode. Suppose the token was generated this way:
PHP Code: // returns LGziiALPuVrzIruXQNiFzDWbJuZNIT//zjgTh5FO288= I'm having a few problems: 1) If I try to add this token to a url like so: PHP Code: $url = site_url("/password-reset/token/" . urlencode($token)); Code: https://example.com/password-reset/tokenLGziiALPuVrzIruXQNiFzDWbJuZNIT/zjgTh5FO288= 2) If I create the site url without the token (which seems awkward, to be honest) and then append the urlencoded token like this: PHP Code: $url = site_url('/password-reset/token/') . urlencode($token); Code: https://example.com/password-reset/token/LGziiALPuVrzIruXQNiFzDWbJuZNIT%2F%2FzjgTh5FO288%3D Is there some way to get codeigniter to allow url-encoded values in its segments? Is there any security risk in doing so? It seems pretty limited if we can't urlencode values to pass them in as autorouted parameters.
I would use the Text helper for this purpose to avoid URL issues with Base64; it uses bin2hex() on the result of random_bytes() instead of base64_encode().
Code: echo random_string('crypto', 64); https://codeigniter.com/user_guide/helpe...dom_string (03-25-2021, 02:50 AM)craig Wrote: I would use the Text helper for this purpose to avoid URL issues with Base64; it uses bin2hex() on the result of random_bytes() instead of base64_encode().Sadly, bin2hex takes up a lot more space -- it doubles the length of whatever you encode. Also, I think there's a bug in site_url (or more specifically the URI class) and how it deals with your query string. Turns out CI4 will urlencode your query string whether you like it or not: PHP Code: // slash in query string gets encoded: PHP Code: $v = '%'; The + char, in particular, has problems. site_url returns the exact same url for both $url1 and $url2: PHP Code: $url1 = '?x=2+2'; Call me crazy, but I don't think site_url should be urldecoding your path segments or urlencoding your query strings. Furthermore, it's urlencoding behavior is unpredictable. |
Welcome Guest, Not a member yet? Register Sign In |