• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
What can happen if i use a loose URL chars restriction?

#1
[eluser]plainas[/eluser]
Lets say I allow every char and escape them whenever i put userdata in an SQL query, etc. What can possibly happen?

Can anybody give me an example to illustrate this?

#2
[eluser]Rick Jolly[/eluser]
You just need to be concerned if you are echoing anything from your url. For example, you wouldn't want to print this to the browser: "controller/method/<scribt>alert('may I steal your cookie?')</scribt>". As long as you run the uri or it's segments through htmlspecialchars(), then you won't have a problem.

Kohana has actually done away with the allowed url characters restriction.

#3
[eluser]xwero[/eluser]
[quote author="Rick Jolly" date="1219202814"]Kohana has actually done away with the allowed url characters restriction.[/quote]
in CI you can do
Code:
$config['permitted_uri_chars'] = '';

#4
[eluser]plainas[/eluser]
So lets say I want to allow users to create meaningful URLs, is this the correct way to output them?

Code:
$urlchunk = "/some?crazy!stuff;put;here\$byTheuser";
$urlchunk = urlencode($urlchunk); # Is this necessary?
echo htmlspecialchars(base_url().$urlchunk);

This is quite confusing, I what could happen if I would skip urlenconde call?

Just out of curiosity, if I allow the forward slash, i wonder if it will be picked as a parameter or if it will still work as the separator.


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.