CodeIgniter has some handy security features that sometimes get in the way. One such feature is URI scrubbing for disallowed characters. There are probably more secure ways to tell a script what email address to use than to pass it directly via URI. I'm using this for a simple intranet application to manage email recipients for a UPS & FedEx tracking emailer. So it is not important to cloak the email address being passed. Make sure this method is right for your project before you use it. It can expose email addresses to being indexed by spam bots or intercepted by hackers.
Note</strong>: Ian Huet</a> has provided a great solution using jQuery's AJAX functionality to pass the email in a POST request which bypasses the issue covered in this article entirely. Find it in the comments</a>.</em>
CodeIgniter's URI scrubbing feature is controlled by a configuration value called: permitted_uri_chars</code>. It can be found right around line 126 of the config.php</code> file in your /system/application/config/</code> directory. The default value looks like this:
$config['permitted_uri_chars'] = 'a-z 0-9~%.:_-';
</code></pre>
Now, one might assume by that regular expression that I'd be able to urlencode()</code> any value and pass it to the controller. However CodeIgniter passes all uri segments through urldecode()</code> before attempting to validate them. This prevents any attacker from bypassing the filtering with url encoded strings. It also means that all strings must be url encoded and you need to allow the actual value of the encoded entity. For instance, %20 would become a space, and %40 would become an at (@</code>) symbol. Therefore to allow email addresses to be passed via URI you must add the @</code> symbol to the permitted_uri_chars</code> configuration value.
There is one gotcha to the permitted_uri_chars</code>. That is that the minus or 'dash' character must be either first or last. So when we're adding characters to this configuration be sure that you leave the 'dash' at the end. After adding the @ symbol the value looks like this:
$config['permitted_uri_chars'] = 'a-z 0-9~%.:_@-';
</code></pre>
Thats it! Now you can pass url encoded email addresses as a segment in CodeIgniter.
{edit 2009-08-22}</strong> — It has been brought to my attention that periods in values that are passed via URI segment can be improperly converted to underscores under specific conditions. For this to happen, you must be using mod_rewrite and also your RewriteRule directive passes the rewritten segments through the query string. Example:
RewriteRule .*$ /index.php?/$1 [L]
</code></pre>
To fix the problem you must edit the configuration value uri_protocol</code>. The default value is 'AUTO'</code>. It must be set to 'QUERY_STRING'</code>. Example:
$config['uri_protocol'] = 'QUERY_STRING';
</code></pre>
CodeIgniter is a registered trademark of Ellis Labs, Inc.</a>
Comments
-
-
-
-
-
-
-
-
-
-
comments powered by DisqusMVCForge - News for MVC Web Developers 2009-04-22 17:33:29 -0400
Story added...</strong> Your story was featured in MVCForge - News for MVC Web Developers! Here is the link to vote it up and promote it: http://mvcforge.com/codeigniter/Passing-Email-Addresses-in-URLs-With-CodeIgniter...
Ress 2009-08-11 22:09:17 -0400
Hi Stephen, Thanks for the tutorial I'm finally can get the email passed to the url. But I still have a problem. The server modified the email passed via url and it really confusing me out. ex: test.test@gmail.com turn into test_test@gmail_com Is there any setting on config or the url helper? thanks.
Pierce 2009-08-18 04:44:53 -0400
I just wanted you to know, I randomly found this page through Mr. Google, after seeking this answer for 20 minutes. You made it SO easy. Thank you :) Literally a lifesaver. Saved me literally an hour. Pierce
Stephen 2009-08-18 15:39:21 -0400
@Ress</a> Without further information about your code; I'm afraid I cannot help you diagnose the problem. @Pierce</a> I'm glad that the information was helpful to you. :)
Liam 2009-08-20 14:25:55 -0400
@Ress</a> I also just had this problem... Cant find where CI is changing dots to underscores...
Stephen 2009-08-20 16:35:33 -0400
@Liam</a>, @Ress</a> What version of CodeIgniter are you using? Are you using any add-ons libraries, helpers, etc? What type of environment are you running CI in? I have done some pretty extensive testing and I cannot reproduce the problems you're having. Can you email me some code so I can help you figure this out? sholsinger@gmail.com
Stephen 2009-08-22 12:37:56 -0400
@Liam</a>, @Ress</a>, See the edit in the post above for instructions on fixing the underscores issue.
Din 2010-02-16 11:07:55 -0500
Echoing @Pierce. Thank you so much!
Ian Huet 2010-04-08 08:46:22 -0400
Looking for a solution to this problem, which I was trying to complete via jQuery Ajax, it dawned on me that the entire problem could be side-stepped. Rather than passing the email within the URL I passed it via an Ajax POST request i.e.
Stephen 2010-04-08 09:13:53 -0400
Great idea, Ian. Thanks for posting it here.