summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authoradmin <devnull@localhost>2006-08-27 21:32:02 +0200
committeradmin <devnull@localhost>2006-08-27 21:32:02 +0200
commit1082bddc0c065895a3b39607cb930f5a101f54fb (patch)
tree2c19cb7dcee82642f2a072bf9f432091fda4c8b1
parent0d29605b1e774efd57ffd8f5ccc8eaec1e9ca576 (diff)
-rw-r--r--system/application/config/config.php20
-rw-r--r--system/drivers/DB_mssql.php4
-rw-r--r--system/drivers/DB_mysqli.php4
-rw-r--r--system/libraries/Config.php5
-rw-r--r--system/libraries/Router.php14
-rw-r--r--user_guide/general/changelog.html12
-rw-r--r--user_guide/general/controllers.html2
-rw-r--r--user_guide/general/core_classes.html2
-rw-r--r--user_guide/installation/upgrade_140.html28
9 files changed, 73 insertions, 18 deletions
diff --git a/system/application/config/config.php b/system/application/config/config.php
index c33bda37c..c19fabf44 100644
--- a/system/application/config/config.php
+++ b/system/application/config/config.php
@@ -83,6 +83,26 @@ $config['enable_hooks'] = TRUE;
/*
|--------------------------------------------------------------------------
+| Allowed URL Characters
+|--------------------------------------------------------------------------
+|
+| This lets you specify which characters are permitted within your URLs.
+| When someone tries to submit a URL with disallowed characters they will
+| get a warning message.
+|
+| As a security measure you are STRONGLY encouraged to restrict URLs to
+| as few characters as possible. By default only these are allowed: a-z 0-9~%.:_-
+|
+| Leave blank to allow all characters -- but only if you are insane.
+|
+| DO NOT CHANGE THIS UNLESS YOU FULLY UNDERSTAND THE REPERCUSSIONS!!
+|
+*/
+$config['permitted_uri_chars'] = 'a-z 0-9~%.:_-';
+
+
+/*
+|--------------------------------------------------------------------------
| Enable Query Strings
|--------------------------------------------------------------------------
|
diff --git a/system/drivers/DB_mssql.php b/system/drivers/DB_mssql.php
index 48d1929e3..f6e672b94 100644
--- a/system/drivers/DB_mssql.php
+++ b/system/drivers/DB_mssql.php
@@ -109,8 +109,8 @@ class CI_DB_mssql extends CI_DB {
*/
function escape_str($str)
{
- // MS SQL doesn't require escaping
- return $str;
+ // Escape single quotes
+ return str_replace("'", "''", $str);
}
// --------------------------------------------------------------------
diff --git a/system/drivers/DB_mysqli.php b/system/drivers/DB_mysqli.php
index 75c01e7f8..fadcdd3c4 100644
--- a/system/drivers/DB_mysqli.php
+++ b/system/drivers/DB_mysqli.php
@@ -88,7 +88,9 @@ class CI_DB_mysqli extends CI_DB {
function execute($sql)
{
$sql = $this->_prep_query($sql);
- return @mysqli_query($this->conn_id, $sql);
+ $result = @mysqli_query($this->conn_id, $sql);
+ mysqli_next_result($this->conn_id);
+ return $result;
}
// --------------------------------------------------------------------
diff --git a/system/libraries/Config.php b/system/libraries/Config.php
index 85b295796..bd138331f 100644
--- a/system/libraries/Config.php
+++ b/system/libraries/Config.php
@@ -53,7 +53,7 @@ class CI_Config {
*
* @access public
* @param string the config file name
- * @return void
+ * @return boolean if the file was loaded correctly
*/
function load($file = '')
{
@@ -61,7 +61,7 @@ class CI_Config {
if (in_array($file, $this->is_loaded))
{
- return;
+ return TRUE;
}
include_once(APPPATH.'config/'.$file.EXT);
@@ -77,6 +77,7 @@ class CI_Config {
unset($config);
log_message('debug', 'Config file loaded: config/'.$file.EXT);
+ return TRUE;
}
// END load()
diff --git a/system/libraries/Router.php b/system/libraries/Router.php
index b28ead953..2219f5739 100644
--- a/system/libraries/Router.php
+++ b/system/libraries/Router.php
@@ -254,12 +254,14 @@ class CI_Router {
*/
function _filter_uri($str)
{
- if ( ! preg_match("/^[a-z0-9~\s\%\.:_-]+$/i", $str))
- {
- exit('The URI you submitted has disallowed characters: '.$str);
- }
-
- return $str;
+ if ($this->config->item('permitted_uri_chars') != '')
+ {
+ if ( ! preg_match("|^[".preg_quote($this->config->item('permitted_uri_chars'))."]+$|i", $str))
+ {
+ exit('The URI you submitted has disallowed characters: '.$str);
+ }
+ }
+ return $str;
}
// END _filter_uri()
diff --git a/user_guide/general/changelog.html b/user_guide/general/changelog.html
index 5d4996795..59a02f862 100644
--- a/user_guide/general/changelog.html
+++ b/user_guide/general/changelog.html
@@ -74,15 +74,19 @@ Change Log
<li>Added the ability to <a href="core_classes.html">replace core system classes</a> with your own classes.</li>
<li>Added support for % character in URL.</li>
<li>Added the ability to supply full URLs using the <dfn>anchor()</dfn> helper function.</li>
-<li>Moved the MIME type array out of the Upload class and into its own file in the applications/comfig/ folder.</li>
+<li>Moved the list of "allowed URI characters" out of the Router class and into the config file.</li>
+<li>Moved the MIME type array out of the Upload class and into its own file in the applications/config/ folder.</li>
<li>Updated the URI Protocol code to allow more options so that URLs will work more reliably in different environments.</li>
<li>Updated the <dfn>form_open()</dfn> helper to allow the GET method to be used.</li>
+<li>Updated the MySQLi <dfn>execute()</dfn> function with some code to help prevent lost connection errors.</li>
+<li>Updated the Models loader function to allow multiple loads of the same model.</li>
+<li>Updated the MS SQL driver so that single quotes are escaped.</li>
<li>Removed a strtolower() call that was changing URL segments to lower case.</li>
<li>Removed some references that were interfering with PHP 4.4.1 compatibility.</li>
<li>Removed backticks from Postgre class since these are not needed.</li>
-<li>Deprecated the hash() function due to a naming conflict with a native PHP function with the same name. Please use dohash() instead.</li>
-<li>Fixed an issue when removing GET variables.</li>
-<li>Fixed <a href="http://www.codeigniter.com/forums/viewthread/773/">this</a> router bug.</li>
+<li>Deprecated the hash() function due to a naming conflict with a native PHP function with the same name. Please use <kbd>dohash()</kbd> instead.</li>
+<li>Fixed an bug that was preventing the input class from unsetting GET variables.</li>
+<li>Fixed a router bug that was making it too greedy when matching end segments.</li>
<li>Fixed a bug that was preventing multiple discreet database calls.</li>
<li>Fixed a bug in which loading a language file was producing a "file contains no data" message.</li>
<li>Fixed a session bug caused by the XSS Filtering feature inadvertently changing the case of certain words.</li>
diff --git a/user_guide/general/controllers.html b/user_guide/general/controllers.html
index b45b5aef7..4dc94cba6 100644
--- a/user_guide/general/controllers.html
+++ b/user_guide/general/controllers.html
@@ -212,7 +212,7 @@ specifying any URI segments you'll see your Hello World message by default.</p>
<p>Simply create folders within your <dfn>application/controllers</dfn> directory and place your controller classes within them.</p>
-<p><strong>Note:</strong>&nbsp; When using this feature the first segment or your URI must specify the folder. For example, lets say you have a controller
+<p><strong>Note:</strong>&nbsp; When using this feature the first segment of your URI must specify the folder. For example, lets say you have a controller
located here:</p>
<code>application/controllers/<kbd>products</kbd>/shoes.php</code>
diff --git a/user_guide/general/core_classes.html b/user_guide/general/core_classes.html
index 1e5968475..4abe06775 100644
--- a/user_guide/general/core_classes.html
+++ b/user_guide/general/core_classes.html
@@ -64,7 +64,7 @@ Creating Core System Classes
<p>Every time Code Igniter runs there are several base classes that are initialized automatically as part of the core framework.
It is possible, however, to swap any of the core system classes with your own versions.&nbsp; <strong>Most users will never have any need to do this,
-but the option to replace them does exist for those that would like to significantly alter the Code Igniter core.</strong>
+but the option to replace them does exist for those who would like to significantly alter the Code Igniter core.</strong>
</p>
<p class="important"><strong>Note:</strong>&nbsp; Replacing a core system class with your own version has a lot of implications, so make sure you
diff --git a/user_guide/installation/upgrade_140.html b/user_guide/installation/upgrade_140.html
index 7f25c44e9..bd84c2421 100644
--- a/user_guide/installation/upgrade_140.html
+++ b/user_guide/installation/upgrade_140.html
@@ -87,7 +87,33 @@ have not upgraded to that version please do so first.</p>
</ul>
-<h2>Step 4: Update your user guide</h2>
+<h2>Step 2: Update your config.php file</h2>
+
+<p>Open your <dfn>application/config/config.php</dfn> file and add these new items:</p>
+
+<pre>
+/*
+|--------------------------------------------------------------------------
+| Allowed URL Characters
+|--------------------------------------------------------------------------
+|
+| This lets you specify which characters are permitted within your URLs.
+| When someone tries to submit a URL with disallowed characters they will
+| get a warning message.
+|
+| As a security measure you are STRONGLY encouraged to restrict URLs to
+| as few characters as possible. By default only these are allowed: a-z 0-9~%.:_-
+|
+| Leave blank to allow all characters -- but only if you are insane.
+|
+| DO NOT CHANGE THIS UNLESS YOU FULLY UNDERSTAND THE REPERCUSSIONS!!
+|
+*/
+$config['permitted_uri_chars'] = 'a-z 0-9~%.:_-';
+</pre>
+
+
+<h2>Step 3: Update your user guide</h2>
<p>Please also replace your local copy of the user guide with the new version.</p>