Code Igniter:允许在 URI 中使用撇号,同时依赖于查询绑定以确保安全
我一直在研究如何让撇号跨越 URI。
我正在建立一个允许用户“创建相册”的网站。我有一个链接,单击该链接后,它将加载并显示某个专辑的所有内容。我正在使用 codeigniter,因此此页面的调用方式如下:
http://www.fourthdraft.com/index.php/admin/manageAlbumContents/dan's/91
admin = control 管理专辑=功能 dan's (专辑名称) = 变量
如您所知,codeigniter 不允许在 uri 中使用撇号(')。我的问题是:
- 如果我 htmlspecialchars/htmlentities 专辑名称变成 &#xx; 那些新角色也不 允许
- 如果我进行 url 编码,它会变成 %xx。允许百分比,但 codeigniter 在处理之前对其进行 url 解码 它只是恢复为撇号
- 我尝试制作自己的 preg_replace ( ' => '~apos~' ) 但我 就是觉得效率低,太多了 自从我开始运行以来,线路很乏味 网站已完成 80%,并且 我必须替换的字符串是 到处。
- 我也考虑过使用base64_encode。需要更多空间 但它确实有效。话又说回来, 编码版本包含“=” 也是不允许
的 我不想只在 codeigniter 的配置文件的允许字符列表中添加撇号。我相信他们没有它是有原因的。与此同时,我已经没有选择了。 想要允许撇号的原因是因为在这种情况下,它必然会被使用。例如,如果有人决定将“dan 的生日派对”作为专辑名称怎么办?这必然会发生。我很确定我的用户会抱怨。即使我设法说服他们,我会用什么来代替呢?丹_的生日聚会?看起来不对。另外,如果 Facebook 能做到,我也应该这么做。至少,如果Facebook做到了,那就意味着有办法。
如果你们有任何建议,请走开。否则我想知道在允许的 URI 字符中只允许撇号是否可以(并且安全)。我知道这对于我经常使用的 mysql 来说非常危险,但我只记得 codeigniter 的查询绑定变量会自动转义字符。我想知道这是否足以保证我的安全。
否则,请给我一个好主意。我已经筋疲力尽了
I've been figuring out how to let apostrophe's cross URI's.
I'm building a site that allows users to "create photo albums". I have a link that when clicked, it will load and display all the contents of a certain album. I'm using codeigniter so this page is called this way:
http://www.fourthdraft.com/index.php/admin/manageAlbumContents/dan's/91
admin = controller
managealbums = function
dan's (album name) = variable
As you know, codeigniter does not allow apostrophe(') in uri's. My problems are:
- If I htmlspecialchars/htmlentities
the album name it becomes &#xx;
Those new characters also not
allowed - If I url encode it becomes %xx. percent is allowed but codeigniter
urldecodes it before processing so
it just reverts back to apostrophe - I've tried making my own preg_replace ( ' => '~apos~' ) but i
just find it inefficient, too much
lines to run and tedious since I
have an 80% done website and the
strings I have to replace are
everywhere. - I've also considered using base64_encode. It takes more space
but it does the job. Then again, the
encoded version contains '=' which
is also disallowed
As much as possible I do not want to just add apostrophe in the allowed characters list in codeigniter's config file. I believe they don't have it there for a reason. At the same time, I'm running out of options.
The reason for wanting to allow apostrophe's is because in this context, it's bound to be used. For example, what if someone decided to put 'dan's birthday party' as an album name? It's bound to happen. and i'm pretty sure my users would complain. Even if I manage to convince them otherwise, what will i replace that with? dan_s birthday party? looks wrong. Also, if facebook can do it I should too. At the very least, if facebook did it, then that means there's a way.
If you guys have any suggestions, fire away. Otherwise I'm wondering if it's ok (and safe) to just allow apostrophe in the allowed URI characters. I know it's VERY dangerous for mysql which i use a lot but I just remembered codeigniter's query binding variables automatically escapes characters. I'm wondering if that would suffice and keep me safe.
Otherwise, please please please give me a good idea. I'm drained out
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我愿意相信
mysql_query("SELECT * FROM table WHERE x={$_GET['val']}")的日子已经结束了。话虽这么说,只要使用参数绑定,任何像样的数据库库都可以。因此,请继续使用urlencode。I like to believe that the days of
mysql_query("SELECT * FROM table WHERE x={$_GET['val']}")are over. That being said, it's OK with any decent database library as long as you use parameter binding. So go ahead and useurlencode.