codeigniter disallowed characters error

Question

if i trying to access this url http://localhost/common/news/33/+%E0%B0%95%E0%B1%87%E0%B0%B8.html , it shows an An Error Was Encountered, The URI you submitted has disallowed characters. I set $config['permitted_uri_chars'] = 'a-z 0-9~%.:??_=+-?' ; ..// WHat i do ?

Answer 1

I had a similar problem and wanted to share the solution. It was reset password, and I had to send the username and time, as the url will be active for an hour only. Codeigniter will not accept certain characters in url for security reasons and I did not want to change that. So here is what I did:

• concat user name, '__' and time() in a var $str
• encrypt $str using MCRYPT_BLOWFISH, this may contain '/', '+'
• re-encrypt using str2hex (got it from here)
• put the encoded string as the 3rd argument in the link sent by email, like, http://xyz.com/users/resetpassword/3123213213ABCDEF238746238469898 -you can see that the url contains only 0-9 and A-Z.
• When link from email is clicked, get the 3rd uri segment, use hex2str() to decrypt to blowfish encrypted string, and then apply blowfish decrypt to get the original string.
• split with '__' to get the user name and time

I know that its almost a year till this question was asked, but I am hoping that someone will find this solution helpful after coming here by google.

Answer 2

I would NOT suggest trying to decode them or use any other tricks, instead I would suggest using urlencode() and urldecode() functions.

Since I don't have a copy of your code, I can't add examples, if you could provide me some, I can show you an example how to do it.

However, it's pretty straightforward to use, and it's built in PHP4 and PHP5.

Answer 3

Yeah, if you want to allow non-ASCII bytes you would have to add them to permitted_uri_chars. This feature operates on URL-decoded strings (normally, unless there is something unusual about the environment), so you have to put the verbatim bytes you want in the string and not merely % and the hex digits. (Yes, I said bytes: _filter_uri doesn't use Unicode regex, so you can't use a Unicode range.)

Trying to filter incoming values (instead of encoding outgoing ones) is a ludicrously basic error that it is depressing to find in a popular framework. You can turn this misguided feature off by setting permitted_uri_chars to an empty string, or maybe you would like a range of all bytes except for control codes ("\x20-\xFF"). Unfortunately the _filter_uri function still does crazy, crazy, broken things with some input, HTML-encoding some punctuation on the way in for some unknown bizarre reason. And you don't get to turn this off.

This, along with the broken “anti-XSS” mangler, makes me believe the CodeIgniter team have quite a poor understanding of how string escaping and security issues actually work. I would not trust anything they say on security ever.

Answer 4

What to do? Stop using unicode characters in an URL - for the same reasons as you shouldn't name files on a filesystem with unicode characters.

But, if you really need it, I'll copy/paste some lines from the config:

Leave blank to allow all characters -- but only if you are insane.