Page 1 of 1
'handling urls submitted through a form' question
Posted: Tue Jul 16, 2002 1:50 pm
by Jay
OK, it's just been drummed into me that i should NOT trust data that's submitted by a user.
so, my questions are:
- Is it generally a bad idea to allow urls to be submitted in a form?
- I am thinking of creating a 'News' script to add-on to another script i recently completed. So members can post their latest website news through their account. Generally, I expect urls to be included in the 'news' text. How would i handle this so that it's NOT exploited, yet published as working links?
Thank you.
Posted: Tue Jul 16, 2002 3:42 pm
by gnu2php
It's usually OK to allow URLs, as long as you "encode" them when they're about to be displayed on the page.
To encode a URL, use urlencode().
If the URL is actually going to be displayed on the page, use htmlentities().
Code: Select all
function print_url($url)
{
// We have to preserve the http://
$http = 'http://';
if (preg_match('/^їa-z]+:\/\//i', $url, $matches))
{
$url = preg_replace('/^їa-z]+:\/\//i', '', $url);
$http = $matchesї0];
}
print "<a href="".$http.urlencode($url)."">";
print htmlentities($http.$url);
print "</a>";
}
Posted: Tue Jul 16, 2002 5:12 pm
by Jay
ok, got it...
how would be the best way to solve my second question? i.e. urls included in text?
Posted: Tue Jul 16, 2002 5:19 pm
by hob_goblin
i can't think of a way off the top of my head how you would use anchors to exploit things, i guess if you got really fancy you could use some javascript to annoy people... but it's highly unlikely
Posted: Tue Jul 16, 2002 5:26 pm
by Jay
i apologize if this is too obvious for some of u but really i am still a newbie at writing scripts...
let's say the user sends this in:
Code: Select all
$_POSTї'news'] = 'We have a contest going on at http://www.example.com. Please submit before 19/07/2002!';
now what should i consider when i want this to appear on a webpage.
<added>
of course, i want it ultimately to appear like so on the page:
We have a contest going on at http://www.example.com. Please submit before 19/07/2002!
Posted: Tue Jul 16, 2002 8:30 pm
by gnu2php
Try the following code. It isn't perfect--and you should probably test it before you use it--but it should catch most URLs:
Code: Select all
<?php
print highlight_urls('We have a contest going on at http://www.example.com. Please submit before 19/07/2002!');
function highlight_urls($text)
{
// Characters to exclude in URL (you could add more)
$chars = '\r\n \t\x0B<>''"\\]\\ї';
$re = '/(їa-z]+:\/\/|www\.)ї^'.$chars.']+/i';
return preg_replace_callback($re,
'highlight_urls_callback', $text);
}
function highlight_urls_callback($matches)
{
$url = $matchesї0];
if ($matchesї1] == 'www.') $url = "http://$url";
// Characters to ignore at end of URL
$chars = '!)}:\\.\\?';
$punc = '';
if (preg_match("/ї$chars]+\$/", $url, $matches))
{
$url = preg_replace("/ї$chars]+\$/", '', $url);
$punc = $matchesї0];
}
return "<a href="$url">$url</a>$punc";
// Or you could have it open a new window
return "<a href="$url" target="_blank">$url</a>$punc";
}
?>