在 url 中使用 codeigniter 的 base64 编码字符串
我有一个加密的、base64 编码的数组,我需要将其放入 url 中并插入到我们发送给客户端的电子邮件中,以便能够(唯一地)识别它们 - 问题是 base64_encode() 经常在它之后附加一个或两个 = 符号字符串,默认情况下 CI 不允许使用。
这是一个例子: <一href="http://example.com/cec/pay_invoice/VXpkUmJnMWxYRFZWTEZSd0RXZFRaMVZnQWowR2N3TTdEVzR DZGdCbkQycFFaZ0JpQmd4V09RRmdWbkVMYXdZbUJ6OEdZQVJ1QlNJTU9Bb3RWenNFSmxaaFVXcFZaMXQxQXpWV1BR QThVVEPUT0ZFZ0RRbGNabFV6VkNFTlpsTWxWV29DTmdackEzQU5Nd0lpQURNUGNGQS9BRFlHWTFacUFTWldOZ3M5 QmpRSGJBWTlCREVGWkF4V0NtQlhiZ1IzVm1CUk9sVm5XMllEWlZaaEFHeFJZMU51VVdNTmJsdzNWVzlVT0EwZw==" rel="noreferrer">http://example.com/cec/pay_invoice/VXpkUmJnMWxYRFZWTEZSd0RXZFRaMVZnQWowR2N3 TTDEVzRDZGdCbkQycFFaZ0JpQmd4V09RRmdWbkVMYXdZbUJ6OEdZQVJ1QlNJTU9Bb3RWenNFSmxaaFVXcFZaMXQxQXpW V1BRQThVVEpUT0ZFZ0RRbGNabFV6VkNFTlpsTWxWV29DTmdackEzQU5Nd0lpQURNUGNGQS9BRFlHWTFacUFTWldOZ3M5 QmpRSGJBWTlCREVGWkF4V0NtQlhiZ1IzVm1CUk9sVm5XMllEWlZaaEFHeFJZMU51VVdNTmJsdzNWVzlVT0EwZw==
现在我知道我可以在 config.php 中允许 = 符号,但我不完全理解这样做的安全隐患(它一定是出于某种原因而被禁用的,对吗?)
有谁知道为什么这可能是一个坏主意允许在 URL 中使用 = 符号吗?
谢谢! 约翰.
I have an encrypted, base64 encoded array that I need to put into a url and insert into emails we send to clients to enable them to be identified (uniquely) - the problem is that base64_encode() often appends an = symbol or two after it's string of characters, which by default is disallowed by CI.
Now I understand I can allow the = sign in config.php, but I don't fully understand the security implications in doing so (it must have been disabled for a reason right?)
Does anyone know why it might be a bad idea to allow the = symbol in URLs?
Thanks!
John.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
不确定为什么不允许使用
=,但您也可以省略等号。Base64 规范只允许在字符串末尾添加
=符号,并且它们纯粹用作填充,不会丢失数据。编辑:它可能不允许将此作为兼容性选项。从安全角度来看,我无法想到任何原因,但它有可能会扰乱工具链中某处的查询字符串解析。
Not sure why
=is disallowed, but you could also leave off the equals signs.The base64 spec only allows
=signs at the end of the string, and they are used purely as padding, there is no chance of data loss.Edit: It's possible that it doesn't allow this as a compatibility option. There's no reason that I can think of from a security perspective, but there's a possibility that it may mess with query string parsing somewhere in the tool chain.
请将字符“=”添加到 config.php 文件中的 $config['permissed_uri_chars'] 中,您可以在 application/config 文件夹中找到该文件
Please add the character "=" to $config['permitted_uri_chars'] in your config.php file you can find that file at application/config folder
原本该网址中根本不存在任何有害字符。但没有经验丰富的开发人员或编写糟糕的软件可以帮助某些角色变得邪恶。
截至
=- 我没有发现在网址中使用它有任何问题Originally there are no any harmful characters in the url at all. But there are not experienced developers or bad-written software that helps some characters to become evil.
As of
=- I don't see any issues with using it in urls您可以使用本机 php 的 urlencode 和 urldecode 函数,而不是更新配置文件。
Instead of updating config file you can use urlencode and urldecode function of native php.