diff options
author | admin <devnull@localhost> | 2006-08-27 21:32:02 +0200 |
---|---|---|
committer | admin <devnull@localhost> | 2006-08-27 21:32:02 +0200 |
commit | 1082bddc0c065895a3b39607cb930f5a101f54fb (patch) | |
tree | 2c19cb7dcee82642f2a072bf9f432091fda4c8b1 /system | |
parent | 0d29605b1e774efd57ffd8f5ccc8eaec1e9ca576 (diff) |
Diffstat (limited to 'system')
-rw-r--r-- | system/application/config/config.php | 20 | ||||
-rw-r--r-- | system/drivers/DB_mssql.php | 4 | ||||
-rw-r--r-- | system/drivers/DB_mysqli.php | 4 | ||||
-rw-r--r-- | system/libraries/Config.php | 5 | ||||
-rw-r--r-- | system/libraries/Router.php | 14 |
5 files changed, 36 insertions, 11 deletions
diff --git a/system/application/config/config.php b/system/application/config/config.php index c33bda37c..c19fabf44 100644 --- a/system/application/config/config.php +++ b/system/application/config/config.php @@ -83,6 +83,26 @@ $config['enable_hooks'] = TRUE; /* |-------------------------------------------------------------------------- +| Allowed URL Characters +|-------------------------------------------------------------------------- +| +| This lets you specify which characters are permitted within your URLs. +| When someone tries to submit a URL with disallowed characters they will +| get a warning message. +| +| As a security measure you are STRONGLY encouraged to restrict URLs to +| as few characters as possible. By default only these are allowed: a-z 0-9~%.:_- +| +| Leave blank to allow all characters -- but only if you are insane. +| +| DO NOT CHANGE THIS UNLESS YOU FULLY UNDERSTAND THE REPERCUSSIONS!! +| +*/ +$config['permitted_uri_chars'] = 'a-z 0-9~%.:_-'; + + +/* +|-------------------------------------------------------------------------- | Enable Query Strings |-------------------------------------------------------------------------- | diff --git a/system/drivers/DB_mssql.php b/system/drivers/DB_mssql.php index 48d1929e3..f6e672b94 100644 --- a/system/drivers/DB_mssql.php +++ b/system/drivers/DB_mssql.php @@ -109,8 +109,8 @@ class CI_DB_mssql extends CI_DB { */ function escape_str($str) { - // MS SQL doesn't require escaping - return $str; + // Escape single quotes + return str_replace("'", "''", $str); } // -------------------------------------------------------------------- diff --git a/system/drivers/DB_mysqli.php b/system/drivers/DB_mysqli.php index 75c01e7f8..fadcdd3c4 100644 --- a/system/drivers/DB_mysqli.php +++ b/system/drivers/DB_mysqli.php @@ -88,7 +88,9 @@ class CI_DB_mysqli extends CI_DB { function execute($sql) { $sql = $this->_prep_query($sql); - return @mysqli_query($this->conn_id, $sql); + $result = @mysqli_query($this->conn_id, $sql); + mysqli_next_result($this->conn_id); + return $result; } // -------------------------------------------------------------------- diff --git a/system/libraries/Config.php b/system/libraries/Config.php index 85b295796..bd138331f 100644 --- a/system/libraries/Config.php +++ b/system/libraries/Config.php @@ -53,7 +53,7 @@ class CI_Config { * * @access public * @param string the config file name - * @return void + * @return boolean if the file was loaded correctly */ function load($file = '') { @@ -61,7 +61,7 @@ class CI_Config { if (in_array($file, $this->is_loaded)) { - return; + return TRUE; } include_once(APPPATH.'config/'.$file.EXT); @@ -77,6 +77,7 @@ class CI_Config { unset($config); log_message('debug', 'Config file loaded: config/'.$file.EXT); + return TRUE; } // END load() diff --git a/system/libraries/Router.php b/system/libraries/Router.php index b28ead953..2219f5739 100644 --- a/system/libraries/Router.php +++ b/system/libraries/Router.php @@ -254,12 +254,14 @@ class CI_Router { */ function _filter_uri($str) { - if ( ! preg_match("/^[a-z0-9~\s\%\.:_-]+$/i", $str)) - { - exit('The URI you submitted has disallowed characters: '.$str); - } - - return $str; + if ($this->config->item('permitted_uri_chars') != '') + { + if ( ! preg_match("|^[".preg_quote($this->config->item('permitted_uri_chars'))."]+$|i", $str)) + { + exit('The URI you submitted has disallowed characters: '.$str); + } + } + return $str; } // END _filter_uri() |