Welcome Guest, Not a member yet? Register   Sign In
Do I need escaping url on each method?
#1

Hi, guys.

I have class page with methods like this:
index() (uses list() method inside)
add()  (uses form() method inside)
edit()  (uses form() method inside)
delete()  (uses form() method inside)
list()
form()

I have field filter_name for filtering pages in index() method with this script

Code:
$('#button-filter').on('click', function() {
       var url = '<?php echo base_url('page/index'); ?>';

       var filter_name = $('input[name=\'filter_name\']').val();

       if (filter_name) {
               url += '/filter_name/' + fixedEncodeURIComponent(filter_name);
       }

       location = url;
});

Then links are created with filter_name section:

Code:
private function list() {

.....
               // url for links add/delete/etc
               $url = array();
               $urls = array('filter_name', 'sort', 'order', 'per_page');

               foreach ($urls as $u1) {

                   if (isset($this->uris[$u1])) {
                       $url[$u1] = $this->uris[$u1];
                   }
               }

               $data['action']['add'] = base_url('page/add/' . $this->uri->assoc_to_uri($url));
               $data['action']['edit'] = base_url('page/edit/' . (empty($this->uri->assoc_to_uri($url)) ? '' : $this->uri->assoc_to_uri($url) . '/') . 'page_id/');
               $data['action']['copy'] = base_url('page/copy/' . $this->uri->assoc_to_uri($url));
               $data['action']['delete'] = base_url('page/delete/' . $this->uri->assoc_to_uri($url));

               // Here we must decode encoded name
               $data['filter_name'] = rawurldecode($this->uris['filter_name'] ?? '');

....
}

So, my question. Is this safe in security point of view? Or I must do something like this

Code:
if (isset($this->uris[$u1])) {
                       $url[$u1] = rawurlencode($this->uris[$u1]);
                   }

But this gets me problem when click on add button and then return to the original list page.

Thanks.
Reply
#2

$this->uris aren't a standard array. Please post how you populate it.
Reply
#3

(This post was last modified: 09-24-2018, 10:57 AM by wishmaster.)

I use extended controller scheme.

Code:
class MY_Controller extends CI_Controller {

       protected $uris = array();

       function __construct() {
           parent::__construct();

           $this->uris = $this->uri->uri_to_assoc(3);
        }
.....
}

I use the next uri scheme:
Code:
http://mysite.com/admin/page/index/filter_name/foo/per_page/5/baz/bar
Reply
#4

What kind of data are you passing thru the url and how do you use $data['filter_name'] afterwards?

Codeigniter will only accept characters inside $config['permitted_uri_chars'] in the url, but as you convert everything in the url. It won't look for any illegal characters as there aren't any.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB