raku Posted June 3, 2008 Share Posted June 3, 2008 Hey, I am trying to allow users to enter links into an input box from the URL, for example: http://example.com/?url=http://google.com But, when these URLs have spaces in them, they are shown in the input box as "http://test.com/test test" instead of "http://test.com/test%20test". I have used htmlentities and strip_tags to make sure their inputs are safe, but how can I keep the special characters from being converted (like %20 to space)? Thanks! Quote Link to comment Share on other sites More sharing options...
dezkit Posted June 3, 2008 Share Posted June 3, 2008 post yo code foo! Quote Link to comment Share on other sites More sharing options...
raku Posted June 3, 2008 Author Share Posted June 3, 2008 Sure thing. $url = $_GET['url']; $url = strip_tags($url); $url = htmlentities($url); ... <input name="url" type="text" value="<? echo $url; ?>"></input> Quote Link to comment Share on other sites More sharing options...
raku Posted June 3, 2008 Author Share Posted June 3, 2008 Any ideas? Quote Link to comment Share on other sites More sharing options...
discomatt Posted June 3, 2008 Share Posted June 3, 2008 Try urlencode Quote Link to comment Share on other sites More sharing options...
raku Posted June 3, 2008 Author Share Posted June 3, 2008 That converts "http://" as well. Should I trim it off before using urlencode, then add it back on? Also, if I'm adding this into a database and displaying it to other users, do I need to do anything more than htmlentities, strip_tags, and mysql_real_escape_string? There are some other text field inputs as well that I'm using those functions for. Thanks. Quote Link to comment Share on other sites More sharing options...
discomatt Posted June 3, 2008 Share Posted June 3, 2008 You shouldn't need strip_tags if you're using htmlentities. Quote Link to comment Share on other sites More sharing options...
raku Posted June 3, 2008 Author Share Posted June 3, 2008 Thanks! Could you please reply to my urlencode question? Should I trim off the "http://" before using the function? Also, users can add descriptions or comments for the URLs. Is it okay to only apply strip_tags to them, or do I need to use htmlentities as well? I'm guessing that I should use htmlentities if they are carried in the link as a variable. Quote Link to comment Share on other sites More sharing options...
thebadbad Posted June 3, 2008 Share Posted June 3, 2008 urlencode() should only be used for the query string part of a URL, but yes, you should be able to split the URL into two parts, and then use it: <?php $url = 'http://test.com/test test'; $parts = explode('/', $url); $end = urlencode(array_pop($parts)); $url = implode('/', $parts) . '/' . $end; echo $url; // http://test.com/test+test ?> This will only encode the string after the last slash. Not sure it's what you're looking for.. Quote Link to comment Share on other sites More sharing options...
raku Posted June 3, 2008 Author Share Posted June 3, 2008 Awesome, thanks so much! Could you please comment on htmlentities and strip_tags? If I'm accepting content through the URL like that, should I use both functions in addition to mysql_real_escape_string when I enter it in to my database? I also output it to users at times, and would like it to look appropriate while being safe. Thanks again! Edit: That script doesn't work in a some situations: If the URL is http://test.com/test%20test, it modifies it, but I think it's fine the way it is. They are entering URLs from websites that exist, and lots of times they put the title in the html name like.. http://example.com/blog/php%20is%20awesome.html Also, it doesn't work on variables on the end of the string or if there are multiple slashes. Quote Link to comment Share on other sites More sharing options...
thebadbad Posted June 3, 2008 Share Posted June 3, 2008 Yeah I know, my code isn't to much use It's a bit tricky to retrieve a URL through $_GET. What if the URL contained an ampersand? It would break. Quote Link to comment Share on other sites More sharing options...
discomatt Posted June 3, 2008 Share Posted June 3, 2008 Check out parse_url http://php.net/parse_url Yeah I know, my code isn't to much use It's a bit tricky to retrieve a URL through $_GET. What if the URL contained an ampersand? It would break. Thats what urlencode is for Quote Link to comment Share on other sites More sharing options...
thebadbad Posted June 3, 2008 Share Posted June 3, 2008 In this example, urlencode() won't help, since the URL is broken the moment ENTER is hit. If a user writes "http://example.com/?url=http://www.google.com/search?hl=en&q=test" it gets messy. Solution: Don't offer the ability to fill out the input field through the query string. Quote Link to comment Share on other sites More sharing options...
raku Posted June 3, 2008 Author Share Posted June 3, 2008 Thanks for your help guys. I think the solution is to require users to enter an encoded url, otherwise the input boxes won't be filled out properly. It seems to work when the url is entered like: http://example.com/testing?url=http%3A%2F%2Fwww%2Esample%2Ecom%2Fblogs%2F For security would I need to use anything more than strip_tags and escaping on the URL string? Quote Link to comment Share on other sites More sharing options...
discomatt Posted June 3, 2008 Share Posted June 3, 2008 I suggest htmlentities over strip_tags. If you're going to allow only SOME html, use something like http://htmlpurifier.org/ And yes, always use mysql_real_escape_string when inserting user data int oa db. Also, you can use urldecode to convert an encoded query string back to its original form. Quote Link to comment Share on other sites More sharing options...
thebadbad Posted June 3, 2008 Share Posted June 3, 2008 Yes, that would work. As for the security, I'm really not sure how to handle it. If you want to serve the entered URL as a clickable working URL, it would have to be urldecode()'ed. Maybe urldecode() it, then strip_tags() it for potential urlencoded HTML, and then it's good to go? .. Too tired, gonna hit the bed now Quote Link to comment Share on other sites More sharing options...
raku Posted June 3, 2008 Author Share Posted June 3, 2008 Thanks again. Without using urldecode(), the URL appears correctly in the input box. http%3A%2F%2Fwww%2Esample%2Ecom%2Fblogs%2F appears as http://www.sample.com/blogs/ I'm guessing I don't need urldecode? I don't allow any HTML in any of these fields, it's just URL and a comment. I'm using strip_tags to get rid of any formatting they might try and use, and htmlentities to try and prevent any other kind of malicious stuff. Quote Link to comment Share on other sites More sharing options...
thebadbad Posted June 4, 2008 Share Posted June 4, 2008 Oh, of course it does, I forgot. You won't need urldecode then. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.