Secure URL textarea

Question

I have a textarea form where you can insert URLs which are passed through a function. But I can't figure out how to secure it against malicious code.

I found a way to check valid characters with preg_match() but since a URL can contain almost every character this isn't very useful.

Is there a way to check if the textarea only contains URLs or disable code execution all together?

What do you mean by "or disable code execution all together" ? — Nana Partykar, Sep 11 '15 at 17:53
I passed some html code (form) in the textarea and the form was displayed on the page — Rob, Sep 11 '15 at 17:56
Thats`s right! I'm a bit concerned about security when just passing everything to the function without checking. — Rob, Sep 11 '15 at 18:04
http://stackoverflow.com/questions/18568244/url-validation-regex-url-just-valid-with-http — Nana Partykar, Sep 11 '15 at 18:05
Take a look at, http://stackoverflow.com/questions/1547899/which-characters-make-a-url-invalid/1547940#1547940 — chris85, Sep 11 '15 at 18:11

score 1 · Accepted Answer · answered Sep 11 '15 at 18:34

1

You can use:

$input= htmlspecialchars($_POST['input']);

for example.

answered Sep 11 '15 at 18:34

MrK

Thanks, I think that should be enough but not sure. Maybe I worry about nothing... – Rob Sep 12 '15 at 17:32

score 0 · Answer 2 · answered Sep 11 '15 at 18:24

0

If you just want to prevent HTML from being passed from the textarea, may be strip_tags can do the job.

answered Sep 11 '15 at 18:24

2 Answers2