Code Igniter: allowing apostrophe in URI's while depending on Query Bindings for safety_问答_开发者

Code Igniter: allowing apostrophe in URI's while depending on Query Bindings for safety

开发者 https://www.devze.com 2023-03-13 13:09 出处：网络

I\'ve been figuring out how to let apostrophe\'s cross URI\'s. I\'m building a site that allows users to \"create photo albums\". I have a link that when clicked, it will load and display all the co

I've been figuring out how to let apostrophe's cross URI's.

I'm building a site that allows users to "create photo albums". I have a link that when clicked, it will load and display all the contents of a certain album. I'm using codeigniter so this page is called this way:

http://www.fourthdraft.com/index.php/admin/manageAlbumContents/dan's/91

admin = controller managealbums = function dan's (album name) = variable

As you know, codeigniter does not allow apostrophe(') in uri's. My problems are:

If I htmlspecialchars/htmlentities the album name it becomes &#xx; Those new characters also not allowed
If I url encode it becomes %xx. percent is allowed but codeigniter urldecodes it before processing so it just reverts back to apostrophe
I've tried making my own preg_replace ( ' => '~apos~' ) but i just find it inefficient, too much lines to run and tedious since I have an 80% done website and the strings I have to replace are everywhere.
I've also considered using base64_encode. It takes more 开发者_JAVA技巧space but it does the job. Then again, the encoded version contains '=' which is also disallowed

As much as possible I do not want to just add apostrophe in the allowed characters list in codeigniter's config file. I believe they don't have it there for a reason. At the same time, I'm running out of options. The reason for wanting to allow apostrophe's is because in this context, it's bound to be used. For example, what if someone decided to put 'dan's birthday party' as an album name? It's bound to happen. and i'm pretty sure my users would complain. Even if I manage to convince them otherwise, what will i replace that with? dan_s birthday party? looks wrong. Also, if facebook can do it I should too. At the very least, if facebook did it, then that means there's a way.

If you guys have any suggestions, fire away. Otherwise I'm wondering if it's ok (and safe) to just allow apostrophe in the allowed URI characters. I know it's VERY dangerous for mysql which i use a lot but I just remembered codeigniter's query binding variables automatically escapes characters. I'm wondering if that would suffice and keep me safe.

Otherwise, please please please give me a good idea. I'm drained out

I like to believe that the days of mysql_query("SELECT * FROM table WHERE x={$_GET['val']}") are over. That being said, it's OK with any decent database library as long as you use parameter binding. So go ahead and use urlencode.