6

I have an encrypted, base64 encoded array that I need to put into a url and insert into emails we send to clients to enable them to be identified (uniquely) - the problem is that base64_encode() often appends an = symbol or two after it's string of characters, which by default is disallowed by CI.

Here's an example: http://example.com/cec/pay_invoice/VXpkUmJnMWxYRFZWTEZSd0RXZFRaMVZnQWowR2N3TTdEVzRDZGdCbkQycFFaZ0JpQmd4V09RRmdWbkVMYXdZbUJ6OEdZQVJ1QlNJTU9Bb3RWenNFSmxaaFVXcFZaMXQxQXpWV1BRQThVVEpUT0ZFZ0RRbGNabFV6VkNFTlpsTWxWV29DTmdackEzQU5Nd0lpQURNUGNGQS9BRFlHWTFacUFTWldOZ3M5QmpRSGJBWTlCREVGWkF4V0NtQlhiZ1IzVm1CUk9sVm5XMllEWlZaaEFHeFJZMU51VVdNTmJsdzNWVzlVT0EwZw==

Now I understand I can allow the = sign in config.php, but I don't fully understand the security implications in doing so (it must have been disabled for a reason right?)

Does anyone know why it might be a bad idea to allow the = symbol in URLs?

Thanks! John.

John Hunt
  • 4,265
  • 8
  • 45
  • 59

4 Answers4

19

Not sure why = is disallowed, but you could also leave off the equals signs.

$base_64 = base64_encode($data);
$url_param = rtrim($base_64, '=');
// and later:
$base_64 = $url_param . str_repeat('=', strlen($url_param) % 4);
$data = base64_decode($base_64);

The base64 spec only allows = signs at the end of the string, and they are used purely as padding, there is no chance of data loss.

Edit: It's possible that it doesn't allow this as a compatibility option. There's no reason that I can think of from a security perspective, but there's a possibility that it may mess with query string parsing somewhere in the tool chain.

Matthew Scharley
  • 127,823
  • 52
  • 194
  • 222
3

Please add the character "=" to $config['permitted_uri_chars'] in your config.php file you can find that file at application/config folder

Ali Raza
  • 183
  • 14
2

Originally there are no any harmful characters in the url at all. But there are not experienced developers or bad-written software that helps some characters to become evil.

As of = - I don't see any issues with using it in urls

zerkms
  • 249,484
  • 69
  • 436
  • 539
1

Instead of updating config file you can use urlencode and urldecode function of native php.

$str=base64_encode('test');
$url_to_be_send=urlencode($str);
//send it via url

//now on reciveing side

//assuming value passed via get is stored in $encoded_str

$decoded_str=base64_decode(urldecode($encoded_str));
hari_om
  • 401
  • 1
  • 4
  • 6