I searched for why this is true (from the default codeigniter configuration file).
I want to know why codeigniter acts the way this setting of URLs is so important. In order not to disable it, but for the sake of curiosity and to know whether its OK can use frameworks that do not have this function.
The only reasons I have seen so far were:
- hackers are inventive, so don't turn it off.
- prevent users from performing SQL injection
- prevent spoofing on different sites, such as http: // yoursite.com@hacker.com
- for URL encoding
- whitelists are better than blacklists
The first and fifth causes are generally not chronic. Why urls? If funky URLs have no security issues, they don’t need a blacklist, so they don’t need this whitelist. If a weird URL isn’t capable of hacking your site, it would be a wonderful waste of time to allow their inventive harmless experiments, rather than getting them moving on to something really capable of revealing security holes.
The second reason is erroneous for two reasons; firstly, this sanitation is not used in the query string or POST data, where you expect to find most injection attempts. Secondly, it does not elude these characters; it denies any request, including them. I would be frustrated as a user if qaru was killed by pageload because my post included an apostrophe.
Reasons three and four just don't apply. The reason three is because users will think that they are coming to your site and actually go to hacker.com. You can’t do anything to prevent this; you will never receive a request. Likewise, the number 4 seems to be related to a misunderstanding that this generates URLs rather than parsing them. This code analyzes what you can be sure of - this is a real URL. Codeigniter decodes URI characters before running this regular expression.
So these are the answers that I heard, and I don’t understand them, or is there a real reason that I have not found yet, or the code is mostly useless. Any security experts who can enlighten me?
source share