6

I have an encrypted, base64 encoded array that I need to put into a url and insert into emails we send to clients to enable them to be identified (uniquely) - the problem is that base64_encode() often appends an = symbol or two after it's string of characters, which by default is disallowed by CI.

Here's an example: http://example.com/cec/pay_invoice/VXpkUmJnMWxYRFZWTEZSd0RXZFRaMVZnQWowR2N3TTdEVzRDZGdCbkQycFFaZ0JpQmd4V09RRmdWbkVMYXdZbUJ6OEdZQVJ1QlNJTU9Bb3RWenNFSmxaaFVXcFZaMXQxQXpWV1BRQThVVEpUT0ZFZ0RRbGNabFV6VkNFTlpsTWxWV29DTmdackEzQU5Nd0lpQURNUGNGQS9BRFlHWTFacUFTWldOZ3M5QmpRSGJBWTlCREVGWkF4V0NtQlhiZ1IzVm1CUk9sVm5XMllEWlZaaEFHeFJZMU51VVdNTmJsdzNWVzlVT0EwZw==

Now I understand I can allow the = sign in config.php, but I don't fully understand the security implications in doing so (it must have been disabled for a reason right?)

Does anyone know why it might be a bad idea to allow the = symbol in URLs?

Thanks! John.

Improve this question
2
  • * Yes, it really is encrypted as well as encoded. Commented Jul 1, 2011 at 3:47
  • CI doensn't allow '=' if you use segments. If you enable query strings, '=' will be perfectly legal (of course) Commented Jul 1, 2011 at 5:25

4 Answers 4

Reset to default
19

Not sure why = is disallowed, but you could also leave off the equals signs.

$base_64 = base64_encode($data);
$url_param = rtrim($base_64, '=');
// and later:
$base_64 = $url_param . str_repeat('=', strlen($url_param) % 4);
$data = base64_decode($base_64);

The base64 spec only allows = signs at the end of the string, and they are used purely as padding, there is no chance of data loss.

Edit: It's possible that it doesn't allow this as a compatibility option. There's no reason that I can think of from a security perspective, but there's a possibility that it may mess with query string parsing somewhere in the tool chain.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

3

Please add the character "=" to $config['permitted_uri_chars'] in your config.php file you can find that file at application/config folder

Improve this answer

Comments

2

Originally there are no any harmful characters in the url at all. But there are not experienced developers or bad-written software that helps some characters to become evil.

As of = - I don't see any issues with using it in urls

Improve this answer

Comments

1

Instead of updating config file you can use urlencode and urldecode function of native php.

$str=base64_encode('test');
$url_to_be_send=urlencode($str);
//send it via url

//now on reciveing side

//assuming value passed via get is stored in $encoded_str

$decoded_str=base64_decode(urldecode($encoded_str));

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.