Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

filter_input() $_SERVER["REQUEST_URI"] with FILTER_SANITIZE_URL

Tags:

php

global-variables

filtering

sanitization

request-uri

I'm filtering $_SERVER["REQUEST_URI"] such that:

$_request_uri = filter_input(INPUT_SERVER, 'REQUEST_URI', FILTER_SANITIZE_URL);

As explained in php.net:

FILTER_SANITIZE_URL

Remove all characters except letters, digits and $-_.+!*'(),{}|\^~[]`<>#%";/?:@&=.

However,

the browser sends this REQUEST_URI value urlencode'd and therefore it is not sanitized in this filter_input() function. Say the address is

http://www.example.com/abc/index.php?q=abc��123

and then the sanitized request url is

/abc/index.php?q=abc%EF%BF%BD%EF%BF%BD123

But it should be

/abc/index.php?q=abc123

It is possible urldecode($_SERVER["REQUEST_URI"]) and then using filter_var() we can get a sanitized value.

$_request_uri = filter_var(urldecode($_SERVER['REQUEST_URI']), FILTER_SANITIZE_URL);

I don't know why the last one seems to me "inelegant" and I'm looking for an elegant way, sanitizing $_SERVER["REQUEST_URI"].

Maybe, accessing a super global array directly ($_SERVER['REQUEST_URI']) while coding disturbs me, thus "inelegant".

Is there an elegant way?

like image 710
Kibele Avatar asked Jun 26 '14 13:06

Kibele

1 Answers

I think you could use either mod_rewrite or apaches SetEnv directive to undecode the url server side. This would have the effect of changing the REQUEST_URI in apache and consequently the value of $_SERVER["REQUEST_URI"] in php.

I dont like this solution, and you likely dont want to do this. The issues I see:

  • it does not allow for multiple get parameters which may have different validation rules.
  • it allows for arbitrary parameters.
  • it requires permissions which a user may not have and changes default server behavior.
  • mod_rewrite is seldom a good solution.

A good solution which avoids the global is to call filter_input or filter_input_array on INPUT_GET (instead of INPUT_SERVER).

$urlParameters = http_build_query(
    filter_input_array(
        INPUT_GET,
        FILTER_SANITIZE_URL
    )
);

$_request_uri = filter_input(INPUT_SERVER, 'SCRIPT_URL', FILTER_SANITIZE_URL). ($urlParameters ? "?{$urlParameters}" : "");
print_r($_request_uri);

A better solution would be to whitelist specific parameters and use specific rules for validation, and to use these parameters directly (avoiding setting and parsing $_request_uri)

$_request_parameters = filter_input_array(
    INPUT_GET,
    array(
        'q' => FILTER_SANITIZE_URL,
    )
);

print_r($_request_parameters['q']);
like image 56
Nalin Singapuri Avatar answered Nov 10 '22 06:11

Nalin Singapuri
Sign in to Comment

Related questions

Feedback on my Model Layer Approach Symfony 2 Model Layer + Doctrine
Spell Checking With Redactor On Heroku
How to scrape JSON data streamed via websockets on a target site
How can I improve this query depending on the explain results
Multiple dynamic firewalls and CAS servers in Symfony2
HTML PHP Display username after success login
Handle multiple PHP script calls from multiple XHR instances
KILL MySQL queries using PHP if user close the browser or navigate from one page to other page
Laravel: How do I create a custom pivot model?
Laravel Eloquent ORM relationship naming conventions
Use custom delimiters in the current Twig template
How to make using "alternative syntax" rather than "curly-brace syntax" in php? (Using Endswitch Syntactic Sugar)
Working Of Paypal Rest API
Where to put my php file?
Convert single byte string to double byte string
How to call a constant as a function name?
API - Error 202 "Your credentials do not allow access to this resource"
facebook-php-sdk vs facebook-php-sdk-v4
Use ExpressJS app via FastCGI
Php treating greater-than as end script

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!