What is “enough sanitization” for a URL [duplicate]

Question

This question already has answers here:

Best way to handle security and avoid XSS with user entered URLs (10 answers)

The URL would be

1. Saved to a MySQL database
2. Used to display a picture on the user's profile

would strip_tags() and mysql_real_escape_string() be enough?

Answer 1

"Enough sanitization" thoroughly depends on what environment you're talking about. Sanitization for MySQL should be considered entirely separate from sanitization for web output, and you should handle them separately to avoid a lot of hassle.

Sanitizing for MySQL

• mysql_real_escape_string() will sanitize a piece of data and make it safe to put inside an SQL query.
• Any other type of malicious data, such as HTML tags inside the string, should be absolutely ignored. Trying to manipulate it here will lead you to headaches as you try to "un-manipulate" it later after getting it out of the database. Bad "web data" cannot harm your database.

Sanitizing for output

• htmlspecialchars($val) at output time will prevent any malicious tags from being rendered, because < and > characters are converted into their entity representations and not rendered as tag delimiters.
• Use the ENT_QUOTES modifier if you are outputting something that is inside an HTML element's quoted attribute, such as <input name="email" value="<?php echo htmlspecialchars($email,ENT_QUOTES); ?>" />

That should be all you need, unless you have special requirements. strip_tags() shouldn't really be used for sanitization, as it can be fooled with badly formed HTML. Sanitization is a worthy goal, and if you can keep your contexts separate, you'll run into fewer problems with data manipulation between them.

Answer 2

It's probably safer and better to call htmlentities() on the string instead of counting on strip_tags().

strip_tags() won't remove html special chars like '"&

e.g., if your code is:

<img src="<?= strip_tags($myVar) ?>">

and

$myVar = '">something goes here<';

then you end up with:

<img src="">something goes here<">

Which is pretty obviously the root of an XSS hole; an actual exploit is left as an exercise for the reader.

Answer 3

I initially upvoted Frank's answer, but thought of a problem: htmlentities() will break legal urls like this:

http://www.mywebsite.com/profile?id=jojo&w=60&h=60

Perhaps stripping angle brackets + mysql_real_escape would be sufficient?