[SOLVED] Using Disqus with Codeigniter

[eluser]mattcairns[/eluser]
Hello Everyone,
I have a site and CMS I have built in Codeigniter. My client would like to add a Disqus commenting system (http://disqus.com/) to the site. I've been looking into it and testing. It installs very easily, and I am very impressed with it's ease of use.

The only problem is that on submission it reloads the page with something similar to this "?disqus_reply=4936046#comment-4936046" tagged on the end of the URL. This breaks the page due to codeigniters handling of URI elements. I get the error "The URI you submitted has disallowed characters."

Does anyone have any advice or insight on this issue?

Thanks for your time.

Matt

[eluser]simonmaddox[/eluser]
In your routes.php file, add this to the bottom:

Code:

$route['any'] = 'controller/function'; // change this to a "handler" function

In that function, do this:

Code:

$request = $this->input->server('QUERY_STRING',TRUE);
$vars = explode('&',$request);
$get = array();
foreach($vars as $var){
    list($key,$value) = explode('=',$var);
    $get[$key] = urldecode($value);
}

if (isset($get['disqus_reply'])){
    // do whatever action you need to do here
}

[eluser]dmorin[/eluser]
Or, in your config change

Code:

$config['uri_protocol'] = "PATH_INFO";

AND

Code:

$config['enable_query_strings'] = TRUE;

[eluser]simonmaddox[/eluser]
[quote author="dmorin" date="1231307351"]Or, in your config change

Code:

$config['uri_protocol'] = "PATH_INFO";

AND

Code:

$config['enable_query_strings'] = TRUE;

[/quote]

I guess it's a personal preference. I'd prefer not to allow query strings to work throughout our site. If you do it the way I described above, anything with an invalid character in the URL will be passed through to the handler, which means you can choose what to do with the GET variables in your controller, where you'll have access to all the models and libraries you'll need.

If a request fails all of the checks to see if it's something we know about, the client just gets redirected to our homepage. It may not be perfect, but it works for us.

[eluser]dmorin[/eluser]

I’d prefer not to allow query strings to work throughout our site.

Why? What does this mean? I guess what you're saying is if I want to manually add a "?Iheartponies=0" to the end of one of your urls, you want the request to get sent through your special controller and ultimately break rather than continuing along to the correct controller/method?

There are tons of times when Querystrings are virtually required including many external services like the facebook and google apis (and apparently Disqus). I have no idea why CI restricts them by default. They're only a "risk" if you blindly use $_REQUEST and even then, you're still accepting user provided data so it should always be filtered and sanitized.

So please, if anyone has any reasonable excuse of why they would prefer a broken hacked up handling of the querystring instead letting it function exactly as it should, let me know so I too can feel enlightened!

(I only rant about this because I wasted so much time hacking around it until someone on these forums pointed out the solution I posted 2 posts ago)

[eluser]simonmaddox[/eluser]

Why? What does this mean? I guess what you’re saying is if I want to manually add a “?Iheartponies=0” to the end of one of your urls, you want the request to get sent through your special controller and ultimately break rather than continuing along to the correct controller/method?

Well, no. What we've done is a little more complicated than what I posted.

Obviously you'll only be interfacing with external services that you actually know about and have to support in your code anyway (Facebook, Google, Disqus, payment gateways you've chosen), and in this case a "disqus_reply" GET variable would only refer to /blog/comments (or something) so it's fairly simple to build logic around it. Not knowing Disqus outside of installing the plugin on Wordpress, it's quite tricky to explain in this context.

EDIT: And, if it's not a valid query string according to our checks, it'll ignore it and let you right in and do the usual CodeIgniter thing of pretending it doesn't exist.

Again, it's personal preference - but by forcing yourself to use CodeIgniter's filtered values instead, you reduce the risk that you'll accidentally introduce an SQL injection hole.

It's pretty simple, by the way, to extend the Router class to take a GET key/value and turn it into a CodeIgniter friendly URL to be passed into the controller (do it in the _validate_request() method).

Yes, I agree that it's a pain in the arse that CI doesn't let you use the GET vars by default, but so far it hasn't caused us too much trouble (but we only integrate with a single external service in this way).

[eluser]dmorin[/eluser]
Not to try to argue, just a few observations.

but by forcing yourself to use CodeIgniter’s filtered values instead, you reduce the risk that you’ll accidentally introduce an SQL injection hole

This isn't correct. CIs URL filtering isn't applied to POSTs so I don't see how it would have any impact in the way you filter for SQL injection. Regardless, you still have to filter user data and allowing GETs doesn't affect that risk.

It’s pretty simple, by the way, to extend the Router class to take a GET key/value and turn it into a CodeIgniter friendly URL to be passed into the controller (do it in the _validate_request() method).

The goal of GET information is typically to add supplementary data to a request, not define where the request should be routed. This is how the HTTP standard was designed. So while it is possible to modify the router to process GET parameters, it should be completely unnecessary as the proceeding URL already has all of the routing information needed.

But I digress. As you say, it's personal preference. Glad to hear you have a solution working well for you and good luck to the original poster. For completeness, please make sure you post back a solution that works so future Disqus users will have a solution!

[eluser]Phil Sturgeon[/eluser]

I’d prefer not to allow query strings to work throughout our site.

What's the downside to that? If you dont use $this->input->get() anywhere in the site, enabling query strings would have no effect what-so-ever...

[eluser]simonmaddox[/eluser]
[quote author="pyromaniac" date="1231355034"]

I’d prefer not to allow query strings to work throughout our site.

What's the downside to that? If you dont use $this->input->get() anywhere in the site, enabling query strings would have no effect what-so-ever...[/quote]

Again, personal preference. I like that CodeIgniter has clean URLs, and the only need I've had for query strings so far has been with our payment gateway. I might reconsider this in the future, but right now there's no need.

Just because it works for us, it doesn't mean it works for everyone.

[eluser]dmorin[/eluser]
I just noticed the link in the emails to unsubscribe from forum notifications uses querystring vars! CI's own forums require it to be enabled and yet CI ships with it disabled by default.

Sorry, I'll stop now...