Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming URI Routing problem.
URI Routing problem.
  • El Forum
    Guest
  •  
#1
05-27-2012, 04:17 PM

[eluser]Leo78[/eluser]
I'm using URI Routing and pagination, so I made this:

Code:
$route['foro/post/(:any)'] = 'foro/sort/post/$1/1';
$route['foro/post/(:any)/([1-9]+)'] = 'foro/sort/post/$1/$2';

IT WORKS WELL.

Code:
www.domain.com/foro/post/hello-friends/
www.domain.com/foro/post/hello-friends/2/

That examples how it works.

But I have a security problem, because users can type (and I don't know why) these addresses for example:

Code:
www.domain.com/foro/post/hello-friends/blabla/
www.domain.com/foro/post/hello-friends/blabla/sdsdd/
www.domain.com/foro/post/hello-friends/2/dfd/aas/
..

This cause to SQL error and sometimes it even works - the address number 3 for example will show me the same like the address:

Code:
www.domain.com/foro/post/hello-friends/2/

How can I prevent it? I sure I can use validation in the controller, but I want to prevent it in the route level.

Thank you.
  • El Forum
    Guest
  •  
#2
05-27-2012, 04:23 PM

[eluser]Aken[/eluser]
First, with routes, most specific should be first. So you should put the second one first.

It sounds like you're putting the URI segment directly into your query. NEVER EVER do that without sanitizing it first. Examine the segment(s) and see what's in them, and then verify it against any parameters you need (should this be a number? does this person have access to this?) and go from there.
  • El Forum
    Guest
  •  
#3
05-27-2012, 04:33 PM

[eluser]Leo78[/eluser]
[quote author="Aken" date="1338160990"]First, with routes, most specific should be first. So you should put the second one first.

It sounds like you're putting the URI segment directly into your query. NEVER EVER do that without sanitizing it first. Examine the segment(s) and see what's in them, and then verify it against any parameters you need (should this be a number? does this person have access to this?) and go from there.[/quote]

The first segment is a string, I verify it in the controller so it's ok.
The second segment is a number and I verify it in the route (as regular expression as you can see), don't worry about it I have already checked it. :-)

Anyway that not what I asked.. the question is why any person can add endless segments to the address?
  • El Forum
    Guest
  •  
#4
05-27-2012, 04:45 PM

[eluser]Aken[/eluser]
Because you're using (:any). Which means anything. They can add unlimited segments and it will still redirect. If you want to prevent it at the route level, you need to make your routes more specific.

And if you're getting SQL errors, that means you aren't correctly sanitizing data before putting it into your query, so you still need to look into that.
  • El Forum
    Guest
  •  
#5
05-27-2012, 04:57 PM

[eluser]Leo78[/eluser]
[quote author="Aken" date="1338162302"]Because you're using (:any). Which means anything. They can add unlimited segments and it will still redirect. If you want to prevent it at the route level, you need to make your routes more specific.

And if you're getting SQL errors, that means you aren't correctly sanitizing data before putting it into your query, so you still need to look into that.[/quote]

Unfortunately I cannot be specifically because it's a title which the user types - the user can type any chars he wants.

What I'm trying to do is that the address will be in this format:

../foro/post/segment-title/
../foro/post/segment-title/segment-number/

If there are more than 3/4 (depend in the format) segments so 404 EROR will be shown.
That not what happenes now. the situation is that the user can add endless segments as I said before and I don't know how to prevent it in the route level. :-\

Thanks for your helping!
  • El Forum
    Guest
  •  
#6
05-27-2012, 05:31 PM

[eluser]Aken[/eluser]
Try replacing both your routes with this one:

Code:
$route['foro/post/([a-zA-Z0-9\-_+\.]+(?:\/[0-9]+)?)'] = 'foro/post/$1';

The route should work, but you might run into a few bugs you need to fix to work with the route. For instance, it will not default the segment-number to 1 if one doesn't exist. You should do that in the backend yourself. Also, the titles will be limited to letters, numbers, dashes and underscores. It will 404 on anything else, including foreign (or at least my version of foreign, lol) characters such as ó, ñ, etc.
  • El Forum
    Guest
  •  
#7
05-27-2012, 05:46 PM

[eluser]Leo78[/eluser]
[quote author="Aken" date="1338165082"]Try replacing both your routes with this one:

Code:
$route['foro/post/([a-zA-Z0-9\-_+\.]+(?:\/[0-9]+)?)'] = 'foro/post/$1';

The route should work, but you might run into a few bugs you need to fix to work with the route. For instance, it will not default the segment-number to 1 if one doesn't exist. You should do that in the backend yourself. Also, the titles will be limited to letters, numbers, dashes and underscores. It will 404 on anything else, including foreign (or at least my version of foreign, lol) characters such as ó, ñ, etc.[/quote]

Get the way. The problem as you said with the special chars (non-english), but I'll solve it somehow.
Thank you!




Theme © iAndrew 2016 - Forum software by © MyBB