summaryrefslogtreecommitdiffstats
path: root/system
diff options
context:
space:
mode:
authoradmin <devnull@localhost>2006-08-27 21:32:02 +0200
committeradmin <devnull@localhost>2006-08-27 21:32:02 +0200
commit1082bddc0c065895a3b39607cb930f5a101f54fb (patch)
tree2c19cb7dcee82642f2a072bf9f432091fda4c8b1 /system
parent0d29605b1e774efd57ffd8f5ccc8eaec1e9ca576 (diff)
Diffstat (limited to 'system')
-rw-r--r--system/application/config/config.php20
-rw-r--r--system/drivers/DB_mssql.php4
-rw-r--r--system/drivers/DB_mysqli.php4
-rw-r--r--system/libraries/Config.php5
-rw-r--r--system/libraries/Router.php14
5 files changed, 36 insertions, 11 deletions
diff --git a/system/application/config/config.php b/system/application/config/config.php
index c33bda37c..c19fabf44 100644
--- a/system/application/config/config.php
+++ b/system/application/config/config.php
@@ -83,6 +83,26 @@ $config['enable_hooks'] = TRUE;
/*
|--------------------------------------------------------------------------
+| Allowed URL Characters
+|--------------------------------------------------------------------------
+|
+| This lets you specify which characters are permitted within your URLs.
+| When someone tries to submit a URL with disallowed characters they will
+| get a warning message.
+|
+| As a security measure you are STRONGLY encouraged to restrict URLs to
+| as few characters as possible. By default only these are allowed: a-z 0-9~%.:_-
+|
+| Leave blank to allow all characters -- but only if you are insane.
+|
+| DO NOT CHANGE THIS UNLESS YOU FULLY UNDERSTAND THE REPERCUSSIONS!!
+|
+*/
+$config['permitted_uri_chars'] = 'a-z 0-9~%.:_-';
+
+
+/*
+|--------------------------------------------------------------------------
| Enable Query Strings
|--------------------------------------------------------------------------
|
diff --git a/system/drivers/DB_mssql.php b/system/drivers/DB_mssql.php
index 48d1929e3..f6e672b94 100644
--- a/system/drivers/DB_mssql.php
+++ b/system/drivers/DB_mssql.php
@@ -109,8 +109,8 @@ class CI_DB_mssql extends CI_DB {
*/
function escape_str($str)
{
- // MS SQL doesn't require escaping
- return $str;
+ // Escape single quotes
+ return str_replace("'", "''", $str);
}
// --------------------------------------------------------------------
diff --git a/system/drivers/DB_mysqli.php b/system/drivers/DB_mysqli.php
index 75c01e7f8..fadcdd3c4 100644
--- a/system/drivers/DB_mysqli.php
+++ b/system/drivers/DB_mysqli.php
@@ -88,7 +88,9 @@ class CI_DB_mysqli extends CI_DB {
function execute($sql)
{
$sql = $this->_prep_query($sql);
- return @mysqli_query($this->conn_id, $sql);
+ $result = @mysqli_query($this->conn_id, $sql);
+ mysqli_next_result($this->conn_id);
+ return $result;
}
// --------------------------------------------------------------------
diff --git a/system/libraries/Config.php b/system/libraries/Config.php
index 85b295796..bd138331f 100644
--- a/system/libraries/Config.php
+++ b/system/libraries/Config.php
@@ -53,7 +53,7 @@ class CI_Config {
*
* @access public
* @param string the config file name
- * @return void
+ * @return boolean if the file was loaded correctly
*/
function load($file = '')
{
@@ -61,7 +61,7 @@ class CI_Config {
if (in_array($file, $this->is_loaded))
{
- return;
+ return TRUE;
}
include_once(APPPATH.'config/'.$file.EXT);
@@ -77,6 +77,7 @@ class CI_Config {
unset($config);
log_message('debug', 'Config file loaded: config/'.$file.EXT);
+ return TRUE;
}
// END load()
diff --git a/system/libraries/Router.php b/system/libraries/Router.php
index b28ead953..2219f5739 100644
--- a/system/libraries/Router.php
+++ b/system/libraries/Router.php
@@ -254,12 +254,14 @@ class CI_Router {
*/
function _filter_uri($str)
{
- if ( ! preg_match("/^[a-z0-9~\s\%\.:_-]+$/i", $str))
- {
- exit('The URI you submitted has disallowed characters: '.$str);
- }
-
- return $str;
+ if ($this->config->item('permitted_uri_chars') != '')
+ {
+ if ( ! preg_match("|^[".preg_quote($this->config->item('permitted_uri_chars'))."]+$|i", $str))
+ {
+ exit('The URI you submitted has disallowed characters: '.$str);
+ }
+ }
+ return $str;
}
// END _filter_uri()