Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
Uri parameter containing dots
  • Hi today I have faced a big problem with the Uri segments, which is when I pass the parameters to my controller's action like this "controller/param./param2." the dots are being removed I have tried to set 'strip_extension' => false, 'case_sensitive' => false, but nothing happens. I need to pass params that may contain dots as my DB::query() will have to match it with existing data.
  • I'm not quite sure I understand what you want to achieve and how you are trying to achieve this (are you using a route in routes.php?)

    But I assume you're problem lies elsewhere: it's a problem in the operating system. Whenever there is a dot in the last segment of a path, it is assumed to delimit the filename from the file extension. This means that it actually is your webserver that parses the URI such that it assumes "param" to be the filename and "" (empty string) to be the extension because "param." gets split into ("param" and "").
    Thus, the only way you can deal with this is to get the file extension requested in the URI with the \Input::extension() method.
  • sorry for the bad introduction of the problem, but this is what im trying to do, as you know the URI mvc structure is "/controller/action/param/", so i get the data from the DB which contains an attribute "Name" which also may have a value that ends with a dot (e.g: framework fuelphp.), after i recieve this data i loop through it and write some html anchors that contains the "Name" as a parameter, the moment I go to my recieving "controller/action" i write a "die(var_dump($name))" to find that the name is missing a dot in the end, so my search query will no find the exact row i need by name as it is missing a dot.
  • philipptempelphilipptempel
    Accepted Answer
    Have you ever wondered, why some URLs contain a "%20"? That's because a " " (white space) is treated specially in URIs (just like a + or & or alike).

    So, I think you are assuming that URLs (or URIs for that matter) can contain any character that you would normally use in, let's say, a text document. But that is not the case. As we know, the / (forward slash) is a special URI character which does something like creating a hierarchy. Similarly, the : (colon) is a special character in a URI, too. Since we don't want to continue to elaborate on this list, we conclude that . (the dot) is as well a special character in a URI. For more info on the special characters see
    http://www.w3schools.com/tags/ref_urlencode.asp

    It will most likely never work that you get the dot into your parameter as it is interpreted by apache or nginx (or whatever webserver you are using) as the delimiter between file name and file extension (as described earlier). What you will need to do is escape the dot-character in your URI and make it a "%2E" (without the quotes) and then you will most likely have it in your method params.
  • alright i will try this out, I have also read that it may be caused by a rewriterule condition in .htaccess, anyways will try and convert special characters to ASCII, thanks
  • as you can see the $_GET works fine and show the dot and not as a special URL char.
  • Ah well, I see that it may be caused by mod_rewrite and its rules as the example you provided is using $_GET. Maybe if you fiddled with your rewrite rules it could work but I'm not so sure. I assume the problem is caused before Fuel is even launched by the webserver i.e., before it reaches the index.php such that either the webserver itself assumes a file.ext type or its the rewrite rule.
    Unfortunately, I'm a beginner or amateur when it comes to dealing with apache and configuring mod_rewrite properly. Maybe Harro can help here. And if it's urgent just head over to IRC and ping the folks there.
  • You can't have a dot in the last segment of the URI, there is no way to determine whether the part on the right side of the dot is part of the URI or the extension.

    So:

    "/controller/method/param.part/param" should work fine as a URI, "/controller/method/param.part" will be stripped to "/controller/method/param" and the extension will be set to "part".

    You use "controller/param./param2.", but the second part of the URI is the action method, and you can't have a dot in a method name?
  • Did some tests.

    You can't have URI segments with a trailing dot, they are stripped by the clean_uri() method of the Security class. It does that to deal with hacking attempts like "/some/link/../../../passwd", but perhaps it can be optimized.

    That will require some careful thought, we don't want to introduce a security risk...
  • Interesting: this behavior was introduced here: https://github.com/fuel/core/commit/b83b52addc823fc5cf3a08992d1d7bd8a92e84cc

    and you're the first one in 5 years to bump into it... ;-)
  • lol I live a daily fuelphp life and using all its classes, functions and solutions so I may counter lot in the future, what I think is not to change the URI's behavior but to have another security option where we can get the full input and strip it if we want or not, dunno how to explain but it's more like to give a free security control for the developer to play with passed parameters as he want.
  • HarroHarro
    Accepted Answer
    The revert of the change from 2011 means that now only directory traversal is still blocked.

    And I think that is a security feature that should not be optional.
  • so then the only solution is to convert the point to ascii 
  • Huh?

    No, the solution is upgrade your code, or backport the fix.

    In Fuel, URI segments are used to pass data to the controller, and data should not be tampered with, so I would even argue (and I'm doing so on github) this check can be removed completely.
  • anyways sorry for my english, and my code has nothing bad dude and i won't backport the fix from github all i will do is tricking it, i will replace the last dot with an underscore and in my controller action i will re-back it as it was with the dot. thanks anyway
  • What if your parameters contains an valid underscore? Then you will loose it as it will be replaced by a dot in your code.

  • i will use the regex to replace only the last dot as it is the problem, middle dots or dots in the beginning of my parameter works fine so only the last instance of my parameter which gets removed if it is a dot

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion