permitted_uri_chars question

[eluser]chrisco23[/eluser]
Hello,

I have a section on one of my sites where a user can create a URL to their profile, kind of like myspace does with "myspace.com/myname".

Over time someone wanted to use a "+" and someone else wanted to use an "@", and I went ahead and added these to the uri_permitted_chars. If someone knows of a security issue with that, please let me know!

But today someone wanted to use a "'" (single-quote aka apostrophe) and it is disallowed but my validation routine didn't catch it. I'm not going to add the single-quote because that sounds like it's asking for some kind of sql injection.

Can anyone suggest the best way to handle what I should say on the form and what routine I should invoke in validation to catch and prevent the disallowed characters? I guess some kind of ereg should do it right?


Thanks,
Chris

[eluser]Scott Severance[/eluser]
The easiest thing would be to use a regex to check against a list of allowed characters. Something like this might do the trick:

Code:

$re = '^[a-zA-Z0-9.,+_~@-]*$';

If you properly escape all your data (CI's database functions do this), then I don't think that SQL injection is possible. If you dump URL data to the page, be sure to filter it so that someone can't insert a tag. I do a case-insensitive search for '<script' and send an appropriate HTTP error if it's found (something like 404 Not Found, 403 Forbidden, or 400 Bad Request).

The other consideration when it comes to valid URLs is if you're using characters that are allowed in URLs. I'm not sure what those are, but a single quote might cause problems. But, probably it won't.