use a GET request or URI segments?!

[eluser]BarberCraig[/eluser]
Hey guys,

The issue I am having is with receiving variables via the URL.

What I am currently doing is using a $_REQUEST to collect data parameters, which I know is not very secure as the data being received won't be validated, then redirecting to another page. So it works really well in the sense that the data I am receiving isn't being displayed in the url, it's hidden. Teh drawback however, is that that REQUEST data won't be cleansed by CI automatically. I will need to write a php function to cleanse the data myself.

I have tried using the Input class' get feature which pulls in get data, but that doesn't seem to be working (see code below)

Code:

$this->input->get('some_data', TRUE);

But I guess CI recommends you use the URI segmentation route. Which I have also looked into. I would normally use this method, but, the source in which I am receiving the Get data is from an external source, and I don't have any control over how this data is sent to me.

What i'm asking is, is there scope within CI to cleanse get data via standard query string (without enabling query strings in my config, and then across the whole site)?

What i've read within the User Guide doesn't really give my situation a comprimise it seems....

Cheers for your help guys

Craig

[eluser]intractve[/eluser]
A simple search turned this up:

http://ellislab.com/forums/viewthread/99570/

[eluser]bretticus[/eluser]
Or you could just bypass all that crap that cripples everything good about CodeIgniter and use a hack to get your GET variables.

put this in your controller method that you will use for the external post back (You may have to play around with REQUEST_URI. For variants see the config.php file.)

Code:

//put some vars back into $_GET.
parse_str(substr(strrchr($_SERVER['REQUEST_URI'], "?"), 1), $_GET);

// grab values as you would from an ordinary $_GET superglobal array associative index.
$some_variable = $this->input->xss_clean($_GET['some_variable']);

By the way this lets you mix querystrings and controller/methods. For example:

http://www.yourpage.tld/controller/landi...ipt=DG6HS7

[eluser]Zeeshan Rasool[/eluser]
You can also enable global_xss_filtering in config file, so that your all post get data will be filtered by CI automatically.

Code:

$config['global_xss_filtering'] = FALSE;

[eluser]LifeSteala[/eluser]
You should always use CI's URI class. See: http://ellislab.com/codeigniter/user-gui...s/uri.html

[eluser]BarberCraig[/eluser]
Thank you all for your response!

bretticus and Zeeshan, I have combined your suggestions!

I already have global xss filtering enabled on my site, so thats all cool!

This is working nicely, and feels a lot more secure! I wasn't happy with just pulling in data from the URL directly using GET...

thanks again

Craig

[eluser]bretticus[/eluser]
[quote author="BarberCraig" date="1269020124"]
bretticus and Zeeshan, I have combined your suggestions![/quote]

I'm sure you already realized this but setting xss globally does nothing for my "hack" suggestion (which is not original btw.) That's why I showed cleansing with the input class in my example. Again, that code should only reside in your method that will be linked to externally. My favorite part of this solution is that you can leave all the other settings in CodeIgniter intact.

Cheers!

[eluser]pbreit[/eluser]
Betticus, what is the problem with this solution?
$config['uri_protocol'] = "PATH_INFO";
$config['enable_query_strings'] = TRUE;