Thread

For a module I’m developing I need to redirect people to a custom login to a given URL. That works fine unless the URL I need to redirect them to has its own query string say to prompt a particular module action, e.g.

$str = 'http://domain/app/login?testA=1&destination;='.urlencode('http://domain/app?ACT=##&var=blah').'&testB=2';

(ignore semicolon after destination, that’s from formatting.)

On successful login it should take the person to:
http://domain/app?ACT=##&var=blah

But it seems that % 3 F (the encoded form of the question mark) in the url causes the destination parameter to get completely stripped out from _GET (testA and testB remain). It looks like it might be a CodeIgniter thing, I’m not sure. With an additional question mark in the query string that particular parameter simply does not exist.

Can anyone explain what’s going on? Is there security stuff I should be familiar with?

Is there any way to work around this? Is there any way I can include the additional question mark simply, or some kind of alternative? Can’t be the first person with this issue… I’m using EE 2.5.3.

Well I worked around it in an arbitrary way. Dislike doing it this way as then the arbitrary rules have to be maintained everywhere that it matters =|

Hey notacouch,

Thank you for posting.

Would you mind sharing what you did?

Thank you,

I’ll try and describe it.

The gist of what I did is simply use an url-encoded symbol in place of the question mark that’s acceptable for CI/EE (for example an ampersand, an equal sign, but not a semicolon), look for it in your code (e.g. strpos($this->EE->input->get_post(‘destination’), ‘symbol’) !== FALSE), swap out the first instance where/as needed.

It depends what you’re trying to do and where. An url-encoded value will get decoded when run through EE’s Input Class. Thus in a template you would see the url-decoded value, so instead of looking for the url-encoded value like “%##” in your param, you’d just look for the symbol itself and replace it with a question mark.

However, if you’re bouncing it around between your own actions, templates, and other add-on’s, you’ll have to keep up with this and may have to re-encode the values, decide whether or not to swap later in the process, or swap yet again (de-swap?).

You’d have to be careful so you don’t mess something up somewhere else. E.g. if the question mark reappears where it shouldn’t even as % 3 F, then the param itself will not appear in the $_GET array, thus the add-on will not see a needed param consequently breaking your user’s experience. :( Major no no.

I was also thinking of other more complicated means like just making up URLs and relying on template parsing (checking segments in extensions, this might make more sense for some kind of API, maybe), but this was just way easier.

Still feels hackish, though, and I hope doesn’t pose some kind of security problem.

edit:: (response to below, can’t use .htaccess as I’m on nginx, though that would be interesting to know.)

Hey notacouch,

I am glad you found a solution that works for you. Just be sure to keep the changes in mind during the next update.

I cannot find it right now, but I believe that you can do much the same with some htaccess magic. Just keep that in mind as well.

If you need anything else, please just let me know by opening a new thread.

Cheers,