#1
  1. A Change of Season
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    3,558
    Rep Power
    221

    Is it not safe to pass email in the url?


    Hi;

    I see big sites like ClickBank pass raw email address in the address bar.

    1 - How come Codeigniter considers that as disallowed character?

    2 - Is there something wrong in what ClickBank is doing?

    3 - This is how CI stops allowing @
    PHP Code:
    $config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-'
    Can I do this:
    PHP Code:
    $config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-@'
    Thanks
    Last edited by English Breakfast Tea; December 17th, 2016 at 07:44 PM.
  2. #2
  3. Code Monkey V. 0.9
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Mar 2005
    Location
    A Land Down Under
    Posts
    2,472
    Rep Power
    2105
    There are some instances where a @ can indicate a username/password being included in the URL, which was a bit of an old-school way of letting people log into a site without actually logging in.

    Unless it's in the right spot I don't think that it's inherently insecure, but unless there's a good reason for sending it like that I wouldn't.
  4. #3
  5. Backwards Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    16,915
    Rep Power
    9646
    If you put emails in the URL then make sure you're using HTTPS so they can't be sniffed. Otherwise I feel the same as Catacaustic: it's not inherently bad, just don't do anything stupid.
  6. #4
  7. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2016
    Location
    Lakewood, WA
    Posts
    238
    Rep Power
    64
    What about POST vs GET?
  8. #5
  9. Backwards Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    16,915
    Rep Power
    9646
    With POST someone would have to be sniffing traffic (which HTTPS defeats) while GET only requires access to URLs (which HTTPS helps with but doesn't outright prevent).

    I would let normal POST vs. GET rules apply there too: POST if the page will perform some sort of modification action, GET if the page is read-only, with the occasional exception or edge case.
  10. #6
  11. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2006
    Posts
    3
    Rep Power
    0
    Regardless of protocol, be clear that https encrypts the content of your response not the url. If the url were encrypted, then DNS servers would never know how to route it.

    Pasting Email contents in a url is a really really bad idea:

    1. email contents are intended for a recipient only. I've just reset my password on Dev shed and they emailed me a new password. If that was pasted in a url, that password would not be too secure.
    There's zero need to paste that in a GET. It's like the US Postal Service delivering mail by first, opening every letter and pasting them to the side of their delivery trucks.

    2. You want to avoid long, complicated url's. If you have html in your emails that would definitely blow up a GET encoded url. If its being sent to a broswer, count on it being possibly rejected as some
    browsers are set to prevent this. I'm not sure who ClickBank is, but a decision like this baffles the imagination.
  12. #7
  13. Backwards Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    16,915
    Rep Power
    9646
    Originally Posted by eggmatters
    Regardless of protocol, be clear that https encrypts the content of your response not the url. If the url were encrypted, then DNS servers would never know how to route it.
    Actually it does encrypt the URL. Well, most of it: the domain name is what goes through DNS, and sniffing traffic can also expose the domain name during the HTTPS request due to SNI, but the rest of the URL (path and query string) are part of the encrypted traffic.

IMN logo majestic logo threadwatch logo seochat tools logo