Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Permitted URI chars and obtaining a string from URL
Permitted URI chars and obtaining a string from URL
  • El Forum
    Guest
  •  
#1
02-18-2013, 04:42 AM

[eluser]imperator[/eluser]
I need to obtain a string from URL:
Quote:http://www.example.com/( *. )

This string can contain everything - slashes, html markup, everything. It's a message user generated, so I can't forbid him writing something like:
Quote:Just got home, <tired>. I wonder if I can write "&lt;?php ?&gt;" here . Yay, I can! \\\\\ jupi //////
PS. !@#$%^&*( lol Big Grin

And I would like to send this message as a parameter in a URL, so I do something like this:

Code:
http://www.example.com/&lt;?php echo rawurlencode(string) ?&gt;
or
Code:
http://www.example.com/&lt;?php echo rawurlencode(rawurlencode(string)) ?&gt;

CodeIgniter shows error 404 every time. Only triple rawurlencode works.

The documentation of Permitted URI Chars states:
Quote:Leave blank to allow all characters -- but only if you are insane.
I want to be able to get every string as a parameter. Am I insane?
  • El Forum
    Guest
  •  
#2
02-18-2013, 05:11 AM

[eluser]Jan_1[/eluser]
Why do you want to do that? (Are there no better ways that for? (post, session, flash_session, DB)
  • El Forum
    Guest
  •  
#3
02-18-2013, 05:22 AM

[eluser]imperator[/eluser]
I have to obtain it from the URL. Can't use any other way.
  • El Forum
    Guest
  •  
#4
02-18-2013, 12:49 PM

[eluser]PhilTem[/eluser]
Code:
www.example.com/&lt;?php echo json_encode(array('message' => $message)); ?&gt;

should be nice, I guess.
  • El Forum
    Guest
  •  
#5
02-18-2013, 03:02 PM

[eluser]Aken[/eluser]
Lol no, you can't put json in the URL. Your best bet is to encode/hash it into standard alphanumeric characters.

Keep in mind, though, that this is a really bad idea. ESPECIALLY the part about allowing them to enter whatever they want. You're inviting users to do all kinds of hackish things, and giving yourself a ton of work to prevent all of these items. Not to mention that if your user adds a ton of content to the URL, it will be HUGE. The whole thing is just not recommended -- there has to be some other way you can accomplish what you need.
  • El Forum
    Guest
  •  
#6
02-19-2013, 12:14 AM

[eluser]imperator[/eluser]
1) What's wrong with allowing users type whatever they want? Is it not what every forum is doing? In forum post we can type anything - html markup, javascript scripts, everything. These data just have to be escaped, that's all, right?

2) What is the diffrence between sending something by POST or by GET? I can't use POST and anything else, so I'm using GET, but bad user can send some bad code even through POST, isn't that correct?
  • El Forum
    Guest
  •  
#7
02-21-2013, 10:47 AM

[eluser]John Murowaniecki[/eluser]
Imperator, did you try to escape this special characters?

Code:
// using javascript you can turn your text to something acceptable like this
escape('Just got home, <tired>. I wonder if I can write “&lt;?php ?&gt;” here . Yay, I can! \\\\\ jupi //////\nPS. !@#$%^&*( lol :D');
// will returns "Just%20got%20home%2C%20%3Ctired%3E.%20I%20wonder%20if%20I%20can%20write%20%u201C%3C%3Fphp%20%3F%3E%u201D%20here%20.%20Yay%2C%20I%20can%21%20%5C%5C%20jupi%20//////%0APS.%20%21@%23%24%25%5E%26*%28%20lol%20%3AD"

[quote author="imperator" date="1361258080"]1) What's wrong with allowing users type whatever they want? Is it not what every forum is doing? In forum post we can type anything - html markup, javascript scripts, everything. These data just have to be escaped, that's all, right?[/quote]
Using post you can accept any character or codification (commonly those characters will be translacted to the some acceptable codification to server (like UTF-8, etc). Users can type anything they want, but web browsers and servers need to follow some standarts. You can change the behavior of your browser or server if you really need. The question is, do you?

[quote author="imperator" date="1361258080"]2) What is the diffrence between sending something by POST or by GET? I can't use POST and anything else, so I'm using GET, but bad user can send some bad code even through POST, isn't that correct?[/quote]
That's a lot of documentation about this:
http://www.w3schools.com/tags/ref_httpmethods.asp
http://blog.teamtreehouse.com/the-defini...et-vs-post
http://www.diffen.com/difference/Get_vs_Post
http://stevenclark.com.au/2008/01/12/get...-beginner/

(:
  • El Forum
    Guest
  •  
#8
02-21-2013, 11:06 AM

[eluser]John Murowaniecki[/eluser]
[quote author="imperator" date="1361258080"]bad user can send some bad code[/quote]

Does not exist bad users or bad code (or information), however exists bad treatment of the information received. If you let the user submit some .PHP file with malicious data the problem is on how you handle what is submited to your system.

(:




Theme © iAndrew 2016 - Forum software by © MyBB