• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Hash symbol in URL causes a problem

#1
Hi
I'm currently using Codeigniter version 3.0rc3, but I've had the same problem in version 2.2 as well

My routes.php look like this
PHP Code:
$route['event/:num'] = "events/event"

config.php
PHP Code:
$config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-'

If I try to reach, for example
Code:
http://example.com/event/32
I'm getting expected results

If I try to reach
Code:
http://example.com/event/asd
I'm getting 404 Page Not Found
Also expected

If I try to reach
Code:
http://example.com/event/+34
I'm getting An Error Was Encountered The URI you submitted has disallowed characters.
Also expected

But I try to reach the same controller with just a hash symbol
Code:
http://example.com/event/#
I'm getting a database error because of if

I would appreciate if somebody could help me fix this problem.
Thanks.
Reply

#2
What does your events/event controller/method look like? How are you using the 3rd parameter (id) sent to it? Are you just running a query on the database to retrieve data for id "#"? I'm guessing that's where the issue is as I have no problem using #, however my segments DONT start with #, they're like site.com/controller/method#something
Reply

#3
As CroNiX mentioned, this is most likely an issue with how you are handling your input.

In most cases, the # will not be included in the value checked against permitted_uri_chars (especially when the # is after the last slash in the URI), because the URI is passed through PHP's parse_url() function and the path and query portions are extracted, which do not include the #.

The actual database error (or at least the relevant part of it) would probably help determine what is happening, as I can't be sure whether you're receiving no input or receiving '#' as an input.
Reply

#4
Thank for the answers guys

(03-24-2015, 07:46 AM)CroNiX Wrote: What does your events/event controller/method look like? How are you using the 3rd parameter (id) sent to it? Are you just running a query on the database to retrieve data for id "#"? I'm guessing that's where the issue is as I have no problem using #, however my segments DONT start with #, they're like site.com/controller/method#something

I'm aware that my ID is # because I set that variable just like this
Code:
$id = $this->uri->segment(2);

...assuming that $this->uri->segment(2) is nothing but number, like I remapped it in routes.php
Reply

#5
(03-25-2015, 03:21 AM)Goldie Wrote:
Code:
$id = $this->uri->segment(2);

...assuming that $this->uri->segment(2) is nothing but number, like I remapped it in routes.php

Never assume anything coming from user input. You should type-cast to integer to be safe and minimize risk of SQL injection:

PHP Code:
$id = (int)$this->uri->segment(2); 
CodeIgniter 4 tutorials (EN/FR) - https://includebeer.com
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.