How to safely escape URL from user input to be used in file_get_contents?

Question

I have simple question. User supplies URL to my PHP script where I fetch the page from the URL and parse it and show some snippet to user. Now I want to sanitize or better escape the URL so it is safe for me to fetch it by using file_get_contents().

My simplified code looks like this:

$url = $_POST['url'];
$html = file_get_contents($url);

First thing what came to my mind is to use regex for catching evil URL, but I don't think it is efficient and better would be escape the whole URL. But what PHP function can I use for escaping URL for use in file_get_contents() function ?

"Escaping" is useless here. You're looking for *validation*. — deceze, Apr 11 '12 at 08:12

ThiefMaster · Accepted Answer · 2012-04-11T08:26:10.997

2

You could simply require the url to start with http:// or https://.

Luckily PHP is smart enough not to follow redirects to a file:// url.
However, it does follow redirects to ftp:// urls, so you better make sure your server cannot access any internal ftp servers without authentication.

edited Apr 11 '12 at 08:26

answered Apr 11 '12 at 08:11

ThiefMaster

310,957
84
592
636

2

That last statement should better be tested... :) – deceze Apr 11 '12 at 08:13
@ThiefMaster Could you please supply some reference links for your answer (e.g. PHP not following `file://`), please ? – Frodik Apr 11 '12 at 08:50

score 0 · Answer 2 · edited May 23 '17 at 12:04

0

And if you want to do regex, take a look here:

Stackoverflow: What is the best regular expression to check if a string is a valid URL?

edited May 23 '17 at 12:04

Community

1
1

answered Apr 11 '12 at 08:33

Gert Van de Ven

997
6
6

How to safely escape URL from user input to be used in file_get_contents?

2 Answers2