Is valid this base_url setup?? |
I had been reading this:
PHP Code: /* And I want to have no problem with security , so on my production application I want to setup correctly the base_url config. With other projects I had done there was no problem because I only need to use one domain... But now the things changes. I am doing something like a multidomain system... and a thing I am thinking is: PHP Code: $config['base_url'] = strtolower(substr($_SERVER["SERVER_PROTOCOL"],0,strpos( $_SERVER["SERVER_PROTOCOL"],'/'))).'://'.$_SERVER['HTTP_HOST']; Could be that correct?? Thank you.
I use the following snippet code
PHP Code: $allowed_domains = array('site1.com', 'site2.com');
Any of URL examples doesn't work on CI with you want run controller method by CLI.
The $_SERVER['HTTP_HOST'] value is created based on the request headers from the browser, it's easy to manipulate them. The value of $config['base_url'] is used for example in the url helper, form_open function etc. You should not have a situation where some header of the client can change all the url's on you page, or even change the action url of a login form to some external location...
There for you should never ever trust user input blindly and not only validate if it's a valid domainname but in this case you should check if $_SERVER['HTTP_HOST'] is indeed set to a domain you own. I use some similar whitelist approach as Krycek. http://www.skeletonscribe.net/2013/05/pr...tacks.html
not sure if this will help -- but instead of setting the base url in the application/config file - you can set it on the main index.php page. scroll down and you will see 'custom config values'. you can then set it like:
PHP Code: $assign_to_config['base_url'] = 'https://yourwebsite.com/'; |
Welcome Guest, Not a member yet? Register Sign In |