Welcome Guest, Not a member yet? Register   Sign In
Passing non-alphanumeric characters as parameters to a function in a Controller
#1

[eluser]aidehua[/eluser]
Hi

I have a function called CheckUsernameExists($username) within a Controller class called Ajax.

Normally it works fine - called from a URI like this:

/ajax/checkusernameexists/johndoe
or
/ajax/checkusernameexists/janedoe

it correctly checks whether johndoe or janedoe exist.

But the $username comes from user input. If you enter non-alphanumeric characters (e.g. "john;,)doe"), the function breaks, with the error message "The URI you submitted has disallowed characters".

The URI is actually called by a JavaScript/Ajax function, so I have tried to escape the username in the JavaScript, like this

Code:
var user = document.getElementById('username').value;
    if (user!=''){
        user = escape(user); // <-- ** ESCAPE USERNAME HERE
    ajaxRequest.open("GET", "&lt;?= base_url() ?&gt;ajax/checkusernameexists/"+user, true);
    ajaxRequest.send(null);
    }

but when non-alphanumeric characters are entered, I still see the error "An Error Was Encountered. The URI you submitted has disallowed characters."

I tried adding alert(user) just to check it was escaping correctly - and it seems to be. For example, if I enter 'john;;doe', it escapes in the Javascript correctly to 'john;;doe'. But I still get the error - even though % is a permitted URI character in my config.php file.

I'm really stuck on this, and I can't find the answer anywhere. But people must have to deal with this issue all the time. Any clues on how to solve it?

Thanks,

Ed
#2

[eluser]aidehua[/eluser]
I figured it out, I think.

I changed the Ajax open method from GET to POST, so I now send the username, with or without non-alphanumeric characters, in the POST parameters. Then I can clean it up on the server without worrying about using client-side Javascript to make it URI-compliant.

Here's the Javascript I ended up with

Code:
var user = document.getElementById('username').value;
    if (user!=''){
    url = "&lt;?= base_url() ?&gt;ajax/checkusernameexists/";
    var parameters = "user=" + user;
    ajaxRequest.open("POST", url, true);
    ajaxRequest.setRequestHeader("Content-type", "application/x-www-form-urlencoded")
    ajaxRequest.send(parameters)
    ajaxRequest.send(null);
    }

Seems to work fine. Obvious, really, once you think of it.




Theme © iAndrew 2016 - Forum software by © MyBB