[El Forum]

[eluser]adrian westlake[/eluser]
I am working with another company to exhange data by firing off URLS passing in information in the query string (or segments in CI of course). They are encoding the query string so that characters like ampersands etc can be passed accross safely. However, on testing I found that if I pass something like

Code:

http://localhost/admin/test/this&26that

My browser displays

Code:

The URI you submitted has disallowed characters

Why is this happening? Surely the urldecode() method is being passed somewhere to decode this, so why is it unsafe to pass these characters around encoded?


Adrian

[El Forum]

[eluser]adrian westlake[/eluser]
Of course I meant I was trying to pass

&

(ampersand) not &26

[El Forum]

[eluser]marcoss[/eluser]
You change this in the config file,

Code:

$config['permitted_uri_chars'] = 'a-z 0-9~%.:_-';

but as it reads in that file,

| Leave blank to allow all characters -- but only if you are insane.
|
| DO NOT CHANGE THIS UNLESS YOU FULLY UNDERSTAND THE REPERCUSSIONS!!

[El Forum]

[eluser]adrian westlake[/eluser]
OK, well we only need to allow this for one script which passess data from an SMS company to my company. The data (filename, text message, date, and some other parameters) is then put into a database, and the image/video texted in is then copied accross from their servers to ours. So I don't think that this would cause too many problems, especially if I had a password as one of the parameters, which would add a layer of securtity.

Is it possible to bypass the permitted character check, just for one controller/function?

If not, my solutions would be:

1) Use traditional query strings, but I guess if I use it for this I need to use throughout the application, which is not ideal.

2) Use another method of encoding which would work both ends.

The characters in the parameters could be anything in a text message, which includes all common symbols.

Any thought on how this could be resolved, I would be grateful.

Adrian

[El Forum]

[eluser]adrian westlake[/eluser]
Actually, it seems that you can use traditional query strings for some controllers, and segments for others, so I think this is the best solution. It will allow me to pass the data accross allowing all characters, for the purposes of this administration script, but the public facing site can still use the segments.