should I allow "." in URL?

Question

I am doing URL masking by using codeigniter routing. Here I allow user to enter a text which will be URL of his offer details on under a specific URL.

ie,if user entered "offer1" then his offer details will be available on

offers.com/offer/offer1

Here I accept only alphabets and numbers as URL text.Should I allow "." in URL text? What is the standard method should I follow here?

when he enters the offer name encode it using base64_encode() and send to url and if you want to use it later decode it using base64_decode() .....let me know if you face any problems — Venkata Krishna, Feb 05 '13 at 05:19
`.` should be fine, check this: http://www.blooberry.com/indexdot/html/topics/urlencoding.htm#whatwhy (although not related to codeigniter, which might have it's own rules, depending on how it works, which I'm not sure about) — John V., Feb 05 '13 at 05:21
urlencoding gives soem disallowed characters when you encode text.... — Venkata Krishna, Feb 05 '13 at 05:22
urlencode gives disallowed characters in some cases............ — Venkata Krishna, Feb 05 '13 at 05:25
after trying base64 also if you face let me know whats the error........ — Venkata Krishna, Feb 05 '13 at 05:29
A `.` is a valid character allowed and should not cause any problems, just make sure your CI routing config will allow its use. — kittycat, Feb 05 '13 at 05:29
I am damn sure because i faced same problems i rectified it using base64_encode()....... — Venkata Krishna, Feb 05 '13 at 05:30
If urlencode doesn't work for you it's possible [rawurlencode](http://www.php.net/manual/en/function.rawurlencode.php) could do the trick. — John V., Feb 05 '13 at 05:33
I think `urlencode` automatically happening and only `urldecode` is needed.In my program I have used only `urldecode` and find it as working well. — shihabudheen, Feb 05 '13 at 05:33
Regarding to the point that . is valid character, its confusing because such url like (.com/url.php) its like a file with php extension, another (.com/url.jpeg) it appear as an image! its a kind of URL cloaking attack :) — , Feb 05 '13 at 05:42
@Akam thank you for noticing about the security. Actually I had doubt about the security.My client given choice for allowing "." character as well as dis-allowing "." character.Then better method is dis-allowing "." character? — shihabudheen, Feb 05 '13 at 05:49
I suggest using [a-zA-Z0-9-] as white list, then you can use $url = preg_replace('/[^a-zA-Z0-9]+/', '', $url); — , Feb 05 '13 at 05:53

score 0 · Answer 1 · edited Feb 05 '13 at 05:26

0

When user enters the offer name take that as $offer_name and encode it using base64_encode($offer_name);

$encoded_name = base64_encode($offer_name);

Send this $encoded_name to url...........and if you want to use offer name further decode it using base64_decode($encoded_name);

edited Feb 05 '13 at 05:26

kittycat

14,983
9
55
80

answered Feb 05 '13 at 05:24

Venkata Krishna

4,287
6
30
53

i don't know the difference dude i faced problem like this i tried urlencode it gave disallowed characters so i tried base64_encode() – Venkata Krishna Feb 05 '13 at 05:33
2

urlencode is supposed to take strings and make them URL safe, base64_encode encodes things in [base64](http://en.wikipedia.org/wiki/Base64). – John V. Feb 05 '13 at 05:35

score 0 · Answer 2 · answered Feb 05 '13 at 10:41

0

if you need the "." you can leave that in urls, if you then use url params to run queries just escape params before to run the query.

Usually i make a 301 redirect to the base_url(); if somenthing wrong with url params.

just my 2 cents

answered Feb 05 '13 at 10:41

itsme

48,972
96
224
345

score 0 · Answer 3 · edited Sep 05 '13 at 16:14

0

You can allow "." in URL by adding "." in $config['permitted_uri_chars'] config variable in config.php.

edited Sep 05 '13 at 16:14

nhahtdh

55,989
15
126
162

answered Sep 05 '13 at 11:56

Naresh Ramoliya

770
2
8
25

should I allow "." in URL?

3 Answers3