Results 1 to 6 of 6
May 15, 2009, 19:40 #1
- Join Date
- May 2007
- 0 Post(s)
- 0 Thread(s)
PHP security issue: how to sanitize URL input by user
I'm using PHP (with a MySQL db) to build a little gift registry system for the impending new addition to our family. Although this is a purely personal/fun project (that will all be in a password-protected directory only accessed by our friends and family), I am using the experience to try to improve my skills and knowledge with PHP security issues.
The site has an admin section where new items can be added to the gift registry and existing items can be edited. Among other things, the add (or edit) forms contain an input for a URL and an input for the display text for the URL. The URL and the display text get stored in the db and then later output on the registry page where people can browse to see what gifts we would like. Then they can click on the link to actually see the product and possibly order it.
So, pretend for a moment that this isn't my little password-protected personal project, but instead it's on a site with a mass audience. Is there any good way to "sanitize" a URL that was input by a user? How on earth would you make sure that someone isn't going to enter a link to some offensive website or some malicious script and then give it an innocuous name like "Amazon" or "Target", giving people a big surprise when they click on it!
Just curious if anyone has any thoughts on this... like I said, I'm just learning about a lot of the security issues with PHP and trying to think them through on a "safe" project before I am someday faced with doing it for real! Thanks!