5 files changed, 36 insertions, 11 deletions

diff --git a/system/application/config/config.php b/system/application/config/config.php
index c33bda37c..c19fabf44 100644
--- a/system/application/config/config.php
+++ b/system/application/config/config.php
@@ -83,6 +83,26 @@ $config['enable_hooks'] = TRUE;
 
 /*
 |--------------------------------------------------------------------------
+| Allowed URL Characters
+|--------------------------------------------------------------------------
+|
+| This lets you specify which characters are permitted within your URLs.
+| When someone tries to submit a URL with disallowed characters they will
+| get a warning message.
+|
+| As a security measure you are STRONGLY encouraged to restrict URLs to
+| as few characters as possible.  By default only these are allowed: a-z 0-9~%.:_-
+|
+| Leave blank to allow all characters -- but only if you are insane.
+| 
+| DO NOT CHANGE THIS UNLESS YOU FULLY UNDERSTAND THE REPERCUSSIONS!!
+|
+*/
+$config['permitted_uri_chars'] = 'a-z 0-9~%.:_-';
+
+
+/*
+|--------------------------------------------------------------------------
 | Enable Query Strings
 |--------------------------------------------------------------------------
 |
diff --git a/system/drivers/DB_mssql.php b/system/drivers/DB_mssql.php
index 48d1929e3..f6e672b94 100644
--- a/system/drivers/DB_mssql.php
+++ b/system/drivers/DB_mssql.php
@@ -109,8 +109,8 @@ class CI_DB_mssql extends CI_DB {
 	 */
 	function escape_str($str)	
 	{	
-		// MS SQL doesn't require escaping
-		return $str;
+		// Escape single quotes
+		return str_replace("'", "''", $str);
 	}
 	
 	// --------------------------------------------------------------------
diff --git a/system/drivers/DB_mysqli.php b/system/drivers/DB_mysqli.php
index 75c01e7f8..fadcdd3c4 100644
--- a/system/drivers/DB_mysqli.php
+++ b/system/drivers/DB_mysqli.php
@@ -88,7 +88,9 @@ class CI_DB_mysqli extends CI_DB {
 	function execute($sql)
 	{
 		$sql = $this->_prep_query($sql);	
-		return @mysqli_query($this->conn_id, $sql);
+		$result = @mysqli_query($this->conn_id, $sql);
+		mysqli_next_result($this->conn_id);
+		return $result;
 	}
 	
 	// --------------------------------------------------------------------
diff --git a/system/libraries/Config.php b/system/libraries/Config.php
index 85b295796..bd138331f 100644
--- a/system/libraries/Config.php
+++ b/system/libraries/Config.php
@@ -53,7 +53,7 @@ class CI_Config {
 	 *
 	 * @access	public
 	 * @param	string	the config file name
-	 * @return	void
+	 * @return	boolean	if the file was loaded correctly
 	 */	
 	function load($file = '')
 	{
@@ -61,7 +61,7 @@ class CI_Config {
 	
 		if (in_array($file, $this->is_loaded))
 		{                
-			return;
+			return TRUE;
 		}
 	
 		include_once(APPPATH.'config/'.$file.EXT);
@@ -77,6 +77,7 @@ class CI_Config {
 		unset($config);
 
 		log_message('debug', 'Config file loaded: config/'.$file.EXT);
+		return TRUE;
 	}
   	// END load()
   	
diff --git a/system/libraries/Router.php b/system/libraries/Router.php
index b28ead953..2219f5739 100644
--- a/system/libraries/Router.php
+++ b/system/libraries/Router.php
@@ -254,12 +254,14 @@ class CI_Router {
 	 */	
 	function _filter_uri($str)
 	{
-		 if ( ! preg_match("/^[a-z0-9~\s\%\.:_-]+$/i", $str))
-		 { 
-			exit('The URI you submitted has disallowed characters: '.$str);
-		 }
-		 
-		 return $str;
+		if ($this->config->item('permitted_uri_chars') != '')
+		{
+			if ( ! preg_match("|^[".preg_quote($this->config->item('permitted_uri_chars'))."]+$|i", $str))
+			{ 
+				exit('The URI you submitted has disallowed characters: '.$str);
+			}
+		}	
+			return $str;
 	}
 	// END _filter_uri()