URLs in Input Boxes

[raku]

Hey,

 

I am trying to allow users to enter links into an input box from the URL, for example: http://example.com/?url=http://google.com

 

But, when these URLs have spaces in them, they are shown in the input box as "http://test.com/test test" instead of "http://test.com/test%20test".

 

I have used htmlentities and strip_tags to make sure their inputs are safe, but how can I keep the special characters from being converted (like %20 to space)?

 

Thanks!

[dezkit]

post yo code foo!

[raku]

Sure thing.

 

$url = $_GET['url'];
$url = strip_tags($url);
$url = htmlentities($url);

...

<input name="url" type="text" value="<? echo $url; ?>"></input>

[raku]

Any ideas?

[discomatt]

Try urlencode

[raku]

That converts "http://" as well. Should I trim it off before using urlencode, then add it back on?

 

Also, if I'm adding this into a database and displaying it to other users, do I need to do anything more than htmlentities, strip_tags, and mysql_real_escape_string? There are some other text field inputs as well that I'm using those functions for.

 

Thanks.

[discomatt]

You shouldn't need strip_tags if you're using htmlentities.

[raku]

Thanks!

 

Could you please reply to my urlencode question? Should I trim off the "http://" before using the function?

 

Also, users can add descriptions or comments for the URLs. Is it okay to only apply strip_tags to them, or do I need to use htmlentities as well? I'm guessing that I should use htmlentities if they are carried in the link as a variable.

 

[thebadbad]

urlencode() should only be used for the query string part of a URL, but yes, you should be able to split the URL into two parts, and then use it:

 

<?php
$url = 'http://test.com/test test';
$parts = explode('/', $url);
$end = urlencode(array_pop($parts));
$url = implode('/', $parts) . '/' . $end;
echo $url;
// http://test.com/test+test
?>

 

This will only encode the string after the last slash. Not sure it's what you're looking for..

[raku]

Awesome, thanks so much!

 

Could you please comment on htmlentities and strip_tags? If I'm accepting content through the URL like that, should I use both functions in addition to mysql_real_escape_string when I enter it in to my database? I also output it to users at times, and would like it to look appropriate while being safe.

 

Thanks again!

 

Edit:

That script doesn't work in a some situations:

If the URL is http://test.com/test%20test, it modifies it, but I think it's fine the way it is. They are entering URLs from websites that exist, and lots of times they put the title in the html name like.. http://example.com/blog/php%20is%20awesome.html

 

Also, it doesn't work on variables on the end of the string or if there are multiple slashes.

[thebadbad]

Yeah I know, my code isn't to much use

 

It's a bit tricky to retrieve a URL through $_GET. What if the URL contained an ampersand? It would break.

[discomatt]

Check out parse_url

 

http://php.net/parse_url

 

Yeah I know, my code isn't to much use

 

It's a bit tricky to retrieve a URL through $_GET. What if the URL contained an ampersand? It would break.

 

Thats what urlencode is for

[thebadbad]

In this example, urlencode() won't help, since the URL is broken the moment ENTER is hit. If a user writes "http://example.com/?url=http://www.google.com/search?hl=en&q=test" it gets messy.

 

Solution: Don't offer the ability to fill out the input field through the query string.

[raku]

Thanks for your help guys.

 

I think the solution is to require users to enter an encoded url, otherwise the input boxes won't be filled out properly. It seems to work when the url is entered like:

 

http://example.com/testing?url=http%3A%2F%2Fwww%2Esample%2Ecom%2Fblogs%2F

 

For security would I need to use anything more than strip_tags and escaping on the URL string?

[discomatt]

I suggest htmlentities over strip_tags. If you're going to allow only SOME html, use something like http://htmlpurifier.org/

 

And yes, always use mysql_real_escape_string when inserting user data int oa db.

 

Also, you can use urldecode to convert an encoded query string back to its original form.

[thebadbad]

Yes, that would work.

 

As for the security, I'm really not sure how to handle it. If you want to serve the entered URL as a clickable working URL, it would have to be urldecode()'ed. Maybe urldecode() it, then strip_tags() it for potential urlencoded HTML, and then it's good to go?

 

.. Too tired, gonna hit the bed now

[raku]

Thanks again.

 

Without using urldecode(), the URL appears correctly in the input box. http%3A%2F%2Fwww%2Esample%2Ecom%2Fblogs%2F appears as http://www.sample.com/blogs/

 

I'm guessing I don't need urldecode?

 

I don't allow any HTML in any of these fields, it's just URL and a comment. I'm using strip_tags to get rid of any formatting they might try and use, and htmlentities to try and prevent any other kind of malicious stuff.

[thebadbad]

Oh, of course it does, I forgot. You won't need urldecode then.