Categories Photography Résumé About Me

Passing Email Addresses in URLs With CodeIgniter

22 Apr 2009

CodeIgniter Logo with PadlockCodeIgniter has some handy security features that sometimes get in the way. One such feature is URI scrubbing for disallowed characters. There are probably more secure ways to tell a script what email address to use than to pass it directly via URI. I'm using this for a simple intranet application to manage email recipients for a UPS & FedEx tracking emailer. So it is not important to cloak the email address being passed. Make sure this method is right for your project before you use it. It can expose email addresses to being indexed by spam bots or intercepted by hackers.

Note</strong>: Ian Huet</a> has provided a great solution using jQuery's AJAX functionality to pass the email in a POST request which bypasses the issue covered in this article entirely. Find it in the comments</a>.</em>

CodeIgniter's URI scrubbing feature is controlled by a configuration value called: permitted_uri_chars</code>. It can be found right around line 126 of the config.php</code> file in your /system/application/config/</code> directory. The default value looks like this:

$config['permitted_uri_chars'] = 'a-z 0-9~%.:_-';

Now, one might assume by that regular expression that I'd be able to urlencode()</code> any value and pass it to the controller. However CodeIgniter passes all uri segments through urldecode()</code> before attempting to validate them. This prevents any attacker from bypassing the filtering with url encoded strings. It also means that all strings must be url encoded and you need to allow the actual value of the encoded entity. For instance, %20 would become a space, and %40 would become an at (@</code>) symbol. Therefore to allow email addresses to be passed via URI you must add the @</code> symbol to the permitted_uri_chars</code> configuration value.

There is one gotcha to the permitted_uri_chars</code>. That is that the minus or 'dash' character must be either first or last. So when we're adding characters to this configuration be sure that you leave the 'dash' at the end. After adding the @ symbol the value looks like this:

$config['permitted_uri_chars'] = 'a-z 0-9~%.:_@-';
Thats it! Now you can pass url encoded email addresses as a segment in CodeIgniter.

{edit 2009-08-22}</strong> — It has been brought to my attention that periods in values that are passed via URI segment can be improperly converted to underscores under specific conditions. For this to happen, you must be using mod_rewrite and also your RewriteRule directive passes the rewritten segments through the query string. Example:

RewriteRule .*$ /index.php?/$1 [L]

To fix the problem you must edit the configuration value uri_protocol</code>. The default value is 'AUTO'</code>. It must be set to 'QUERY_STRING'</code>. Example:

$config['uri_protocol'] = 'QUERY_STRING';

CodeIgniter is a registered trademark of Ellis Labs, Inc.</a>

Filed under

comments powered by Disqus