Jump to content

Turning text links to HTML links from PHP entries, what's the worst that can happen?


Recommended Posts

I created this interface which will someday evolve into a full fledged-project management system, I am aware that others exist. I'm building this as a I see fit, I have many projects myself and in the future would like to have others use it in collaboration.

Anyway, let's say I have a row and there is a link such as http://www.somesite.com and I wanted that to be echoed as a clickable link eg. place it in a

<a href="(place here)"></a>

.

 

What kind of risks would I encounter?

 

I bind_param everything that a person enters or queries in url.

 

People save text (var type text) in a row.

I'm not sure if I should "clean" these first. I'm not sure which to use escape or "shorten?"

 

From a brief article that I skimmed over I wasn't sure if the links would be kept in the same place they were saved in with regard to the database entry or if they are positioned elsewhere.

 

http://stackoverflow.com/questions/1188129/replace-urls-in-text-with-html-links

 

I'd appreciate any thoughts.

 

Thank you.

Edited by greenace92

Not sure what you are asking but the stackoverflow post you linked to in your post goes through exactly what you need to and provides code which parses urls within text into HTML links (see the first post by Austin Burk).

I was asking "What can happen" I realize I also may have asked how...

 

I am concerned regarding intentional bad user intent...

 

So if a person embedded a link which if clicked, executed some function... I suppose a target is always a risk as you would have to somehow know what the words mean or something... but I'm talking filtering.

 

For instance when processing a form, you usually do stuff like escape, or replace characters, etc... what similar rules apply to links?

Well, they can link to all sorts of things that are bad. Like websites infected with malware, downloads, phishing sites, etc. But as for your own site, as long as you only allow a legit http/https link and don't have any XSS vulnerabilities, you should be okay.

Edited by scootstah
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.