Page 1 of 1

'handling urls submitted through a form' question

Posted: Tue Jul 16, 2002 1:50 pm
by Jay
OK, it's just been drummed into me that i should NOT trust data that's submitted by a user.

so, my questions are:
  1. Is it generally a bad idea to allow urls to be submitted in a form?
  2. I am thinking of creating a 'News' script to add-on to another script i recently completed. So members can post their latest website news through their account. Generally, I expect urls to be included in the 'news' text. How would i handle this so that it's NOT exploited, yet published as working links?
Thank you.

Posted: Tue Jul 16, 2002 3:42 pm
by gnu2php
It's usually OK to allow URLs, as long as you "encode" them when they're about to be displayed on the page.

To encode a URL, use urlencode().

If the URL is actually going to be displayed on the page, use htmlentities().

Code: Select all

function print_url($url)
{
	// We have to preserve the http://
	$http = 'http://';
	if (preg_match('/^їa-z]+:\/\//i', $url, $matches))
	{
		$url = preg_replace('/^їa-z]+:\/\//i', '', $url);
		$http = $matchesї0];
	}

	print "<a href="".$http.urlencode($url)."">";
	print htmlentities($http.$url);
	print "</a>";
&#125;

Posted: Tue Jul 16, 2002 5:12 pm
by Jay
ok, got it...

how would be the best way to solve my second question? i.e. urls included in text?

Posted: Tue Jul 16, 2002 5:19 pm
by hob_goblin

Code: Select all

$str = strip_tags($str, '<a>');
i can't think of a way off the top of my head how you would use anchors to exploit things, i guess if you got really fancy you could use some javascript to annoy people... but it's highly unlikely

Posted: Tue Jul 16, 2002 5:26 pm
by Jay
i apologize if this is too obvious for some of u but really i am still a newbie at writing scripts...

let's say the user sends this in:

Code: Select all

$_POST&#1111;'news'] = 'We have a contest going on at http://www.example.com.  Please submit before 19/07/2002!';
now what should i consider when i want this to appear on a webpage.

<added>

of course, i want it ultimately to appear like so on the page:

We have a contest going on at http://www.example.com. Please submit before 19/07/2002!

Posted: Tue Jul 16, 2002 8:30 pm
by gnu2php
Try the following code. It isn't perfect--and you should probably test it before you use it--but it should catch most URLs:

Code: Select all

<?php

print highlight_urls('We have a contest going on at http://www.example.com.  Please submit before 19/07/2002!');


function highlight_urls($text)
&#123;
// Characters to exclude in URL (you could add more)
	$chars = '\r\n \t\x0B<>''"\\]\\&#1111;';

	$re = '/(&#1111;a-z]+:\/\/|www\.)&#1111;^'.$chars.']+/i';

	return preg_replace_callback($re,
			'highlight_urls_callback', $text);
&#125;

function highlight_urls_callback($matches)
&#123;
	$url = $matches&#1111;0];
	if ($matches&#1111;1] == 'www.') $url = "http://$url";

// Characters to ignore at end of URL
	$chars = '!)&#125;:\\.\\?';

	$punc = '';

	if (preg_match("/&#1111;$chars]+\$/", $url, $matches))
	&#123;
		$url = preg_replace("/&#1111;$chars]+\$/", '', $url);
		$punc = $matches&#1111;0];
	&#125;

	return "<a href="$url">$url</a>$punc";

// Or you could have it open a new window
	return "<a href="$url" target="_blank">$url</a>$punc";
&#125;

?>