0

I have a form field, where we allow user to post a Youtube URL ( obviously there are tons of youtube type url variants )

My question is, how do we sanitize this element, to prevent users from posting:

  1. non youtube urls.
  2. onerous vulnerability hacks inc extraneous code and urls.

I read this post here

But I am somewhat bewildered how to implement the answer given by Jeff Attwood.

My form element at the moment is simply.

<div class="form-group col-lg-6 col-sm-12 underline">
<label>Add a Video from <strong>YouTube</strong></label>
<input type="text" name="video" id="choosevideo" class="form-control" tabindex="6" placeholder="YouTube Video URL">
</div>
Community
  • 1
  • 1
422
  • 5,714
  • 23
  • 83
  • 139
  • 2
    In PHP you can use `filter_var()` with `FILTER_VALIDATE_URL` or `SANITIZE_`, but need an extra regex/string check to assert it points to youtube anyway. – mario May 04 '14 at 22:52
  • Thankyou Mario, not sure why my post was voted down, if I could add more to the question I would have. Will have a searchypoos around with regard to your reply. Thanks, voted up – 422 May 04 '14 at 22:58
  • Did you see this http://stackoverflow.com/questions/13476060/validating-youtube-url-using-regex and perhaps even this http://stackoverflow.com/questions/1383073/how-do-i-check-if-a-video-exists-on-youtube-using-php ? – Pevara May 04 '14 at 23:15

2 Answers2

3

You should not rely on client-side validation as it is fairly easy to skip. Always validate on server-side of your application.

Find a suiting regex and add it to your serveside validation. If you want client side validation as well, you could add the "pattern" attribute to your input tag.

Community
  • 1
  • 1
PalSivertsen
  • 384
  • 2
  • 11
  • Thanks Botteknotten, will have a scout around and see what I can come up. – 422 May 04 '14 at 22:59
  • 1
    “Always validate on server-side of your application.” Or a combination of both so you are covered & can differentiate between someone initially hacking a form from accidental/inadvertent errors in submission. – Giacomo1968 May 04 '14 at 23:09
0

So you get the user data in $_POST['video'], as your form shows.

You should start with PHP's parse_url() function and then use parse_str() function.

A working example for you. Customize to your needs:

<?php

$parse = parse_url($_POST['video']);

if ($parse['host'] != 'www.youtube.com'){
   echo 'this is not a valid url';
   // return false here or something
}

// continue only if false was not returned, of course

parse_str($parse['query'], $query);

if (!isset($query['v']) || !$query['v']){
   echo 'you have not provided a video id';
   // return false here
}

// if false was not returned up until this point,
// you have the video ID in $query['v']
// and that is all you need I believe

// I think you can do the rest

?>

This is in my opinion the best practice and I don't see why people are suggesting regex or similar. This method is quick, secure and uses built-in PHP functions which perform the operation really well.

You may need to adjust it slightly to your needs depending on what URLs your users may input (I don't know whether YouTube has more domains/vhosts, for example -- this could be easily solved with creating an array() and checking it with in_array(), etc.)

Frantisek
  • 7,485
  • 15
  • 59
  • 102