From 1082bddc0c065895a3b39607cb930f5a101f54fb Mon Sep 17 00:00:00 2001 From: admin Date: Sun, 27 Aug 2006 19:32:02 +0000 Subject: --- system/application/config/config.php | 20 ++++++++++++++++++++ system/drivers/DB_mssql.php | 4 ++-- system/drivers/DB_mysqli.php | 4 +++- system/libraries/Config.php | 5 +++-- system/libraries/Router.php | 14 ++++++++------ 5 files changed, 36 insertions(+), 11 deletions(-) (limited to 'system') diff --git a/system/application/config/config.php b/system/application/config/config.php index c33bda37c..c19fabf44 100644 --- a/system/application/config/config.php +++ b/system/application/config/config.php @@ -81,6 +81,26 @@ $config['language'] = "english"; $config['enable_hooks'] = TRUE; +/* +|-------------------------------------------------------------------------- +| Allowed URL Characters +|-------------------------------------------------------------------------- +| +| This lets you specify which characters are permitted within your URLs. +| When someone tries to submit a URL with disallowed characters they will +| get a warning message. +| +| As a security measure you are STRONGLY encouraged to restrict URLs to +| as few characters as possible. By default only these are allowed: a-z 0-9~%.:_- +| +| Leave blank to allow all characters -- but only if you are insane. +| +| DO NOT CHANGE THIS UNLESS YOU FULLY UNDERSTAND THE REPERCUSSIONS!! +| +*/ +$config['permitted_uri_chars'] = 'a-z 0-9~%.:_-'; + + /* |-------------------------------------------------------------------------- | Enable Query Strings diff --git a/system/drivers/DB_mssql.php b/system/drivers/DB_mssql.php index 48d1929e3..f6e672b94 100644 --- a/system/drivers/DB_mssql.php +++ b/system/drivers/DB_mssql.php @@ -109,8 +109,8 @@ class CI_DB_mssql extends CI_DB { */ function escape_str($str) { - // MS SQL doesn't require escaping - return $str; + // Escape single quotes + return str_replace("'", "''", $str); } // -------------------------------------------------------------------- diff --git a/system/drivers/DB_mysqli.php b/system/drivers/DB_mysqli.php index 75c01e7f8..fadcdd3c4 100644 --- a/system/drivers/DB_mysqli.php +++ b/system/drivers/DB_mysqli.php @@ -88,7 +88,9 @@ class CI_DB_mysqli extends CI_DB { function execute($sql) { $sql = $this->_prep_query($sql); - return @mysqli_query($this->conn_id, $sql); + $result = @mysqli_query($this->conn_id, $sql); + mysqli_next_result($this->conn_id); + return $result; } // -------------------------------------------------------------------- diff --git a/system/libraries/Config.php b/system/libraries/Config.php index 85b295796..bd138331f 100644 --- a/system/libraries/Config.php +++ b/system/libraries/Config.php @@ -53,7 +53,7 @@ class CI_Config { * * @access public * @param string the config file name - * @return void + * @return boolean if the file was loaded correctly */ function load($file = '') { @@ -61,7 +61,7 @@ class CI_Config { if (in_array($file, $this->is_loaded)) { - return; + return TRUE; } include_once(APPPATH.'config/'.$file.EXT); @@ -77,6 +77,7 @@ class CI_Config { unset($config); log_message('debug', 'Config file loaded: config/'.$file.EXT); + return TRUE; } // END load() diff --git a/system/libraries/Router.php b/system/libraries/Router.php index b28ead953..2219f5739 100644 --- a/system/libraries/Router.php +++ b/system/libraries/Router.php @@ -254,12 +254,14 @@ class CI_Router { */ function _filter_uri($str) { - if ( ! preg_match("/^[a-z0-9~\s\%\.:_-]+$/i", $str)) - { - exit('The URI you submitted has disallowed characters: '.$str); - } - - return $str; + if ($this->config->item('permitted_uri_chars') != '') + { + if ( ! preg_match("|^[".preg_quote($this->config->item('permitted_uri_chars'))."]+$|i", $str)) + { + exit('The URI you submitted has disallowed characters: '.$str); + } + } + return $str; } // END _filter_uri() -- cgit v1.2.3-24-g4f1b