2

We are using a Microsoft Dynamics NAV SOAP webservice to fetch some product information for a webshop, to fetch it we'll send along parameters such as Brand, Type and Modelnumber

These parameters vary alot in characters, the strings could look like these:

Modelnumbers: DSM 9510 XA+ 3709 / VITALITY 002.228.31 HÖGVÅRDIG

User has to choose Brand, Type and Modelnumber from dynamically generated selects. In jQuery we then grab the values, string replace the characters which are not permitted in Codeigniter URIs, and then urlencode it before sending it along. Like this:

var model            = $("select#model").val();
model                = model.replace(/\//g, '_');
model                = encodeURIComponent(model);

var url              = fab + '/' + type + '/'  + model + '/'  + produktnummer;
window.location.href = "categories/" + url;

Then in the categories controller in Codeigniter we string replace the forbidden chararacters back to the original. Then do rawurldecode($model) on each parameter.

We now have the needed strings to send to the SOAP Webservice in order to get back the correct results. In our Categories controller we would do (simplified):

public function index($brand, $type, $model, $productnr = NULL)
{
    $model      = str_replace('_', '/', $model);
    $model      = rawurldecode($model);
    $categories = $this->fetch->get_categories($brand, $type, $model, $productnr);
}

In the fetch model we use a NTLMSoapClient to connect to the Dynamics NAV webservice, as explained in this blogpost:

http://blogs.msdn.com/b/freddyk/archive/2010/01/19/connecting-to-nav-web-services-from-php.aspx

Will the SoapClient handle the escaping upon sending requests?

This is perhaps not the most clever solution, but we can't figure of any other way of doing this. Since we need these URIs in order to make some kind of sitemap. So the question is:

Is there a better and more secure way of archieving this, working with these obscure strings in our application?

A little extra information about the shop:

For the webshop, we have extended the Codeigniter cart, and do not process any payments at site, but use a 3rd party payment gateway to handle that. We just store the temporary order with shipping address as serialized() data in db, and after a successful callback from the payment gateway we flag the order as paid, and send orderinfomation to the Dynamics NAV webservice where the "real" order will get processed. The webshop is on HTTPS. Users can have accounts to view their orders, the orders are also fetched from the Webservice, and not from db. We use Ion Auth for authentication in Codeigniter (http://benedmunds.com/ion_auth/)

I will be happy to elaborate anything, if something is unclear. Thank you!

Alex Peck
  • 4,603
  • 1
  • 33
  • 37
nielsstampe
  • 1,336
  • 1
  • 15
  • 25
  • 1. are you sure you need to `rawurldecode`? I don't know much about CodeIgniter but in general I would expect a path-to-variable mapper to deal with %-decoding for you (not least because in many circumstances the web server itself will have already done that step - albeit unreliably for Unicode characters in some cases like on Windows). Also it seems like you should be `encodeURIComponent`ing every component in the URL path, not just the model. – bobince Apr 26 '13 at 13:31
  • 2. Where's the code you're using to talk to the SOAP service? It looks to me like with NAV you have to put the parameter string back into another path, which would mean calling `rawurlencode` on each one. I don't know where `htmlentities` would come in - you wouldn't normally be creating any kind of HTML to talk to a SOAP service. (In general `htmlspecialchars` is preferable, and that would happen to work for XML as well as HTML since it only produces XML-compatible escapes.) – bobince Apr 26 '13 at 13:31
  • If for an input path of `http:.../x/a%20b` CI is passing a string parameter `a%20b` to your function rather than `a b` I would regard that as a bug. As for appropriate encoding of data to be sent via `SOAPClient`, `SOAPClient` itself should cope with that - you should not have to do any manual escaping as you are not building the XML yourself. – bobince Apr 26 '13 at 14:21

0 Answers0