PHP escape special character in URL param

Question

I working out to remove special characters in passing parameters through an URL in case to avoid injection by intruders, for example I had the URL below:

www.sitename.com/people?job=manager

I added an alert script after the parameter like below:

www.sitename.com/people?job=manager"/><script>alert%2844749%29<%2fscript>

when I run the URL, the alert will popup, this might cause vulnerability in retrieve site information by this technique. I will use $_REQUEST to get the passing parameter to generate results. Is that any cure to escape URL injection techniques which I can apply to below?

$job = $_REQUEST["job"];

Thanks for advise.

Why does the alert pop up if you simply have this **in the URL**?! Are you outputting this as is into HTML? — deceze, Jun 29 '12 at 06:55

score 4 · Answer 1 · answered Nov 13 '18 at 15:09

4

You need to use htmlentities() or htmlspecialchars() with ENT_QUOTES parameter, on all your variable.

For example for $job :

$job = htmlentities($_REQUEST["job"], ENT_QUOTES);

Don't need to escape special characters in url params.

answered Nov 13 '18 at 15:09

Shrewk

71
2

score 0 · Answer 2 · answered Jun 29 '12 at 06:55

You can use strip_tags()

<?php
$text = '<p>Test paragraph.</p><!-- Comment --> <a href="#fragment">Other text</a>';
echo strip_tags($text);
echo "\n";

// Allow <p> and <a>
echo strip_tags($text, '<p><a>');
?>

OR use regular Exp--

$data = preg_replace('/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi', '', $data);

score 0 · Answer 3 · answered Jun 29 '12 at 06:56

0

Use htmlspecialchars to escape special html characters or strip_tags to remove all tags from the string.

answered Jun 29 '12 at 06:56

Aurimas Ličkus

9,518
4
22
25

score 0 · Answer 4 · edited May 23 '17 at 12:02

0

First of all don't use $_REQUEST and to protect against CSRF attacks you can either use html_entities() or strip_tags().

If you want certain tags to be allowed you can use HTML purifier.

edited May 23 '17 at 12:02

Community

1
1

answered Jun 29 '12 at 06:57

Shubham

19,309
17
59
84

score 0 · Answer 5 · answered Jun 29 '12 at 06:59

A URL like

www.sitename.com/people?job=manager"/><script>alert%2844749%29<%2fscript>

will not do anything harmful in and off itself.

A URL like this, any value like this, plainly output into HTML will of course cause HTML injection. Which is why you need to HTML escape it:

<?php $url = 'www.sitename.com/people?job=manager"/><script>alert%2844749%29<%2fscript>'; ?>

<a href="<?php echo htmlspecialchars($url, ENT_QUOTES); ?>">Click here</a>

score 0 · Answer 6 · answered Apr 14 '19 at 17:13

0

use urlencode function. Visit https://www.php.net/manual/en/function.urlencode.php for more info.

answered Apr 14 '19 at 17:13

zainul ogna

130
1
4

shaedrich · Answer 7 · 2021-04-12T15:36:58.317

0

Instead you can use the following code to directly filter your input:

$job = filter_input(INPUT_GET, 'job', FILTER_SANITIZE_FULL_SPECIAL_CHARS);

edited Apr 12 '21 at 15:36

answered Apr 12 '21 at 15:31

shaedrich

4,826
2
26
35

PHP escape special character in URL param

7 Answers7