Is this good to avoid injection requests

Question

I have to get IP and URL in request parameter and I need to avoid injection specially from url string, here is my code:

if(filterValidIp($ip) && filterValidUrl($url)) {
    //it's ok 
    //code....
}

function for url:

function filterValidUrl($s) {
    $s = trim($s);
    $valid = filter_var($s, FILTER_VALIDATE_URL);
    if(!$valid === false) {
        return true;
    }
    return false;
}

url:

?url=http://google.com?id=ss'+&ip=127.0.0.1

pass as valid

score -1 · Accepted Answer · answered Feb 12 '17 at 14:28

The code you have presented validates the URL.

If you're planning to store it in a DBMS you should also escape it using mysqli::real_escape_string or PDO::quote

You may also want to sanitize it, especially if you'll present it to unsuspecting visitors to your web site. You can do that using filter_var($s, FILTER_SANITIZE_URL).

Remember that untrusted people can enter malicious text strings into web sites.

Is this good to avoid injection requests

1 Answers1