PHP Sanitize Url from Address Bar

Question

How do I get the url from the address bar and try to sanitize it to prevent cross side scripting?

For example in this link,

www.somesite.com/login/login.php

how do I prevent it from

www.somesite.com/login/login.php/"><h2>This%20is%20our%20cookie<h2>         
<script>document.write%28document.cookie%29</script></h2>

Do I use the $_SERVER to get the url from address bar then what should I use to sanitize the link?

Thank you.

You are mixing some stuff. Address bar (of the client's browser) is only accessible to the client itself and you can access it only through the javascript code. Further more, $_SERVER is a server-side variable, which is available to server-side php scripts, which have nothing to do with client-side javascript. — Mladen B., Jun 08 '13 at 11:57
The example you provided isn't really a security threat..The problem is when you use the data and do something like insert it into a database...this is where you need to sanitize the data. Otherwise, let them enter whatever they want, it's not hurting anyone. — David Houde, Jun 08 '13 at 12:03
This makes no sense. You cannot "sanitize the address bar", period. Explain better what concerns you have. Until then I propose that you have insufficient understanding of XSS or the problems you try to prevent and are concerned about the wrong things. — deceze, Jun 08 '13 at 12:16
So first off, @Jamie was looking for a way to prevent a cross-scripting attack. That's why they asked, for the many answerers/commenters that were confused. The "Duplicate" question really contains abstract answers and IMHO isn't a good fit. — Cyprus106, Mar 26 '15 at 16:11

score 2 · Answer 1 · answered Jun 08 '13 at 11:55

2

To obtain it, you can refer to $_SERVER['REQUEST_URI'].

If you want to append it to HTML, escape it using htmlspecialchars().

answered Jun 08 '13 at 11:55

rid

61,078
31
152
193

1

No, I don't want to append it to HTML. I was hoping to prevent unwanted string or characters from being added at the end of the url. – Jamie Jun 08 '13 at 11:59
1

@Jamie, I'm not sure I understand... You want to prevent the user from writing certain characters in the browser's address bar? If so, that's impossible. One idea would be to check the URL on the server side, remove all unwanted characters there and redirect. – rid Jun 08 '13 at 12:01
Hi rid. Sorry for not explaining properly. I trying to sanitize anything that come after the .php extension. – Jamie Jun 08 '13 at 12:05

score 1 · Answer 2 · answered Jun 08 '13 at 11:59

If you want to sanitize the url on the server-side, use mysql_escape_string($_SERVER['REQUEST_URI']). Even more, use var_dump($_SERVER) to see all the values you can use and play around with them. Btw, why are you sanitizing the URL? What do you want to do with it? I assumed you wanted to put it into a database, but if you want to just remove all the html code from it, the browser will already do the escaping, so you don't really need to do it...

If you want to sanitize it on the client-side, that will make no point, since the attacker can always generate his own http request, using his own tools, not even using the browser.

score 1 · Accepted Answer · edited May 23 '17 at 12:12

For url

$url = "http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']

check this link for detail

http://www.phpeasystep.com/phptu/27.html

For sanitizing as rid said you can use

htmlspecialchars() (http://ca3.php.net/htmlspecialchars)

Instead you can use http://php.net/manual/en/function.preg-replace.php to sanitize the $url that you receive, by using that you can remove anything that comes after .php by replacing those using a empty string.

Also please have a look at this post.

Removing unwanted characters from URL in htaccess

PHP Sanitize Url from Address Bar

3 Answers3