Home/ Questions/Q 7840247
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-02T15:42:59+00:00

Given the following simple code: function loadthis ($var) { $id = $this->model->get_id($var); } Question:

  • 0

Given the following simple code:

 function loadthis ($var)
 {
      $id = $this->model->get_id($var);
 }

Question: can any malicious code ever be passed via a URI variable?

Scenario: http://www.mydomain.com/mycontroller/loadthis/dosomethingreallybadhere

Extra info:

  • I use active record on the model, so I know they cant do SQL injection
  • In this example I am NOT using the form_validation class (but I use it in other places for my forms)

  • I limit my URI characters to the default ones provided by Codeigniter

    $config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-';
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    There isn’t too much you can do with the characters allowed … mainly what you are attempting to prevent is anyone injecting MySQL or possibly malicious scripts into your site. There is always a possibility but I think you are fairly safe with what you have. The main things you want to filter are:

    1. Quotes, Single Quotes, and Semi colons since these can be used for a MySQL injection attack.
    2. HTML markup characters such as < or > since these can be used to inject malicious scripts.

    This is by no means a end all list. These are the primary things you should be on the lookout for. I would highly recommend you read up on security best practices at https://www.owasp.org/index.php/Main_Page

    • 0