PHP escape special character in URL param

Question

I working out to remove special characters in passing parameters through an URL in case to avoid injection by intruders, for example I had the URL below:

www.sitename.com/people?job=manager

I added an alert script after the parameter like below:

www.sitename.com/people?job=manager"/><script>alert%2844749%29<%2fscript>

when I run the URL, the alert will popup, this might cause vulnerability in retrieve site information by this technique. I will use $_REQUEST to get the passing parameter to generate results. Is that any cure to escape URL injection techniques which I can apply to below?

$job = $_REQUEST["job"];

Thanks for advise.

Why does the alert pop up if you simply have this **in the URL**?! Are you outputting this as is into HTML? — deceze, Jun 29 '12 at 06:55

score 5 · Answer 1 · answered Nov 13 '18 at 15:09

5

You need to use htmlentities() or htmlspecialchars() with ENT_QUOTES parameter, on all your variable.

For example for $job :

$job = htmlentities($_REQUEST["job"], ENT_QUOTES);

Don't need to escape special characters in url params.

answered Nov 13 '18 at 15:09

Shrewk

81
1
2

score 1 · Answer 2 · edited May 23 '17 at 12:02

1

First of all don't use $_REQUEST and to protect against CSRF attacks you can either use html_entities() or strip_tags().

If you want certain tags to be allowed you can use HTML purifier.

edited May 23 '17 at 12:02

Community

1
1

answered Jun 29 '12 at 06:57

Shubham

21,300
18
66
89

score 0 · Answer 3 · edited Jul 06 '23 at 18:06

0

You can use strip_tags().

$text = '<p>Test paragraph.</p><!-- Comment --> <a href="#fragment">Other text</a>';
echo strip_tags($text);
echo "\n";
    
// Allow <p> and <a>.
echo strip_tags($text, '<p><a>');

You can use regular expressions too.

$data = preg_replace('/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi', '', $data);

edited Jul 06 '23 at 18:06

apaderno

28,547
16
75
90

answered Jun 29 '12 at 06:55

swapnesh

26,318
22
94
126

score 0 · Answer 4 · answered Jun 29 '12 at 06:56

0

Use htmlspecialchars to escape special html characters or strip_tags to remove all tags from the string.

answered Jun 29 '12 at 06:56

Aurimas Ličkus

9,886
4
24
26

score 0 · Answer 5 · answered Jun 29 '12 at 06:59

A URL like

www.sitename.com/people?job=manager"/><script>alert%2844749%29<%2fscript>

will not do anything harmful in and off itself.

A URL like this, any value like this, plainly output into HTML will of course cause HTML injection. Which is why you need to HTML escape it:

<?php $url = 'www.sitename.com/people?job=manager"/><script>alert%2844749%29<%2fscript>'; ?>

<a href="<?php echo htmlspecialchars($url, ENT_QUOTES); ?>">Click here</a>

score 0 · Answer 6 · answered Apr 14 '19 at 17:13

0

use urlencode function. Visit https://www.php.net/manual/en/function.urlencode.php for more info.

answered Apr 14 '19 at 17:13

zainul ogna

160
2
4

shaedrich · Answer 7 · 2021-04-12T15:36:58.317

0

Instead you can use the following code to directly filter your input:

$job = filter_input(INPUT_GET, 'job', FILTER_SANITIZE_FULL_SPECIAL_CHARS);

edited Apr 12 '21 at 15:36

answered Apr 12 '21 at 15:31

shaedrich

5,457
3
26
42

PHP escape special character in URL param

7 Answers7

Linked