Tag Archives: codeigniter

CodeIgniter URL Security

0
Posted by Frank on September 21, 2009 – 9:58 am
Filed under Programming

A friend of mine who is developing a site based on CI pointed out something interesting. If you do not remove the \ char from the $config['permitted_uri_chars'] variable in config.php a user can perform an sql injection. I have not tested this but due to the comments in the source code I don’t believe they meant to place a \ in the regex. There is no need to escape the – char.

$config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-';

to

$config['permitted_uri_chars'] = 'a-z 0-9~%.:_-';

** Update **

I have yet to confirm if the person who told me about the SQL Injection was using any of the following: 

$this->db->escape();
$this->db->escape_str();
$this->db->escape_like_str();

Using those methods could make the difference if someone uses a \ to escape in a query.

reCaptcha with CodeIgniter Form Validation

3
Posted by Frank on June 12, 2009 – 11:21 am
Filed under Programming, Projects, Tech

If you are building a site that requires reCaptcha and you are using the CodeIgniter Form Validation libs you can tie those together nicely.

A previous version of the article included the reCaptcha lib via require_once and it was brought to my attention that using a helper would be more ‘elegant’. Frankly he was right (@jusfa) so I included how to do that below.

Download the reCaptcha library and extract into any directory (temp directory works best since we will be moving it). Then copy the file ‘recaptchalib.php’ to ’system/application/helpers/recaptcha_helper.php’ and remove the directory that you extracted the lib to (optional).

Now you can load the library with the following command.

<?php
$this->load->helper('recaptcha');
?>

If you want all methods to have access to this helper in the controller then place the command in the constructor, otherwise place it above the code that is dependent upon it.

Once your helper is setup you need to store your public and private keys that were generated from the reCaptcha site in your controller.

<?php
// store your private/public key
private $_recaptcha_private_key = 'YOUR PRIVATE KEY GOES HERE';
private $_recaptcha_public_key = 'YOUR PUBLIC KEY GOES HERE';
?>

The next step is to create a method in your controller and set the validation rules for the reCaptcha field. The rules I used are that the ‘recaptcha_response_field’ is required and you will be using the callback method named ‘recaptcha_check’. If the form validation is FALSE then you will need to call the method to generate the reCaptcha HTML and pass it to your view.

<?php
   function someAction()
    {
        $this->load->library('form_validation');
        // set validation rule for the recaptcha response
        $this->form_validation->set_rules('recaptcha_response_field', 'reCaptcha', 'required|callback_recaptcha_check');
        if ($this->form_validation->run() === FALSE)
        {
            // store the recaptcha html code for the view
            $data['recaptcha'] = recaptcha_get_html($this->_recaptcha_public_key);
            // pass the data to the view
            $this->load->view('someView', $data);
        }
        else
        {
            // party
        }
    }
?>

When the user submits the form the ‘recaptcha_response_field’ data will be passed as a parameter to your callback method ‘recaptcha_check’. Within that method you want to call the reCaptcha lib method to check the user’s answer to make sure it is correct. If it is not then you will set the form error message and return FALSE. When the user enters a correct reCaptcha response you only need to return TRUE, since no error occurred you do not need to set the error message value.

<?php
    function recaptcha_check($response)
    {
        // check to see if the recaptcha is correct
        $resp = recaptcha_check_answer (
                                        $this->_recaptcha_private_key,
                                        $this->input->ip_address(),
                                        $this->input->post('recaptcha_challenge_field'),
                                        $this->input->post('recaptcha_response_field'));
         if(!$resp->is_valid)
         {
             //reCaptcha is wrong
             $this->form_validation->set_message('recaptcha_check', 'reCaptcha was wrong.');
             return FALSE;
         }
         return TRUE;
    }
?>

Now just add in the validation for your other fields and you are done! Below is the complete script so you can see how it all fits together inside one controller.

Full Script

<?php
class Test extends Controller
{
    // store your private/public key
    private $_recaptcha_private_key = 'YOUR PRIVATE KEY GOES HERE';
    private $_recaptcha_public_key = 'YOUR PUBLIC KEY GOES HERE';

    function __construct()
    {
        parent::__construct();
        $this->load->helper('recaptcha');
    }

    function someAction()
    {
        $this->load->library('form_validation');
        // set validation rule for the recaptcha response
        $this->form_validation->set_rules('recaptcha_response_field', 'reCaptcha', 'required|callback_recaptcha_check');
        if ($this->form_validation->run() === FALSE)
        {
            // store the recaptcha html code for the view
            $data['recaptcha'] = recaptcha_get_html($this->_recaptcha_public_key);
            // pass the data to the view
            $this->load->view('someView', $data);
        }
        else
        {
            // party
        }
    }
    function recaptcha_check($response)
    {
        // check to see if the recaptcha is correct
        $resp = recaptcha_check_answer (
                                        $this->_recaptcha_private_key,
                                        $this->input->ip_address(),
                                        $this->input->post('recaptcha_challenge_field'),
                                        $this->input->post('recaptcha_response_field'));
         if(!$resp->is_valid)
         {
             //reCaptcha is wrong
             $this->form_validation->set_message('recaptcha_check', 'reCaptcha was wrong.');
             return FALSE;
         }
         return TRUE;
    }
}
?>

New Project

0
Posted by Frank on April 22, 2009 – 2:24 pm
Filed under Cars, Projects

So I’ve been working on a new project that I hope to launch by august 2009.  The concept and layout have been completed, and I am very happy with the results. Some tid bits that I can release is I will be utilizing S3 and Cloudfront for the site. Also I think I am going to use CodeIgniter for the framework, since I have used it in the past and have been satisfied with it.