Am I Safely Echoing User Submitted Links On My Page On Commenting Section


Imagine I run a blog and I give you a commenting section on my page for you to make your comment on my article piece and submit your name and link and business details.
Now, I got to get my blog page to display your submitted details. Correct ?
But I got to make sure you don’t do this xss or javascript attack. Got to make sure, you don’t add your own html or javascript code that disrupts my page’s html. Yes ?
So, how to do this so crooked commenters can’t do all these disruptions on my page ?
I got to add urlencode(), rawurlencode(), htmlentities(), htmlspecialchars(), intval() etc. Correct ? Do all encodings necessary to safely output your submitted url and anything else you submitted on my blog page onto my blog page after weeding out any rubbish (malicious code) you try attempting to add to my page. Right ?
So, how-about you show me how to do this ? I confused. Got to learn from you. Now.
I tried my best here. See below.
Can you let tell me where I forgot to add security so no commenter can mess about with the appearance of my page nor hijack my visitors to their malicious sites ? Can’t get my visitors to auto navigate to malicious sites or I in big trouble.

My Attempt:

$query = "SELECT id,date_and_time,business_name,business_age,business_zip,business_phone,business_mobile,business_fax,business_email,business_domain,business_url,business_description From links WHERE $tbl = ? LIMIT $offset,$max";
$stmt = mysqli_stmt_init($conn);
	if($result = mysqli_stmt_REQUEST_result($stmt))
		$col = mysqli_fetch_array($result) //SHORT VERSION.
		$col = mysqli_fetch_array($result,MYSQLI_BOTH) //LONG VERSION.
		$columns = mysqli_fetch_array($result); //SHORT VERSION.
		$business_submission_id = $columns['0']; //MYSQLI_NUM
		$business_submission_date_and_time = $columns['1']; //MYSQLI_NUM
		$business_name = $columns['2']; //MYSQLI_NUM
		$business_age = $columns['business_age']; //MYSQLI_ASSOC
		$business_snail_mail_address = $columns['_snail_mail_address']; //MYSQLI_ASSOC
		$business_zip = $columns['5']; //MYSQLI_NUM
		$business_phone = $columns['6']; //MYSQLI_NUM
		$business_fax = $columns['business_fax']; //MYSQLI_ASSOC		
		$business_email = $columns['business_email']; //MYSQLI_ASSOC
		$business_domain = $columns['9']; //MYSQLI_NUM
		$business_url = $columns['business_url']; //MYSQLI_ASSOC
		$business_description = $columns['business_description']; //MYSQLI_ASSOC		
		echo 'Business Submission Id: ' .$business_submission_id; echo '<br>';
		echo 'Business Submission Date And Time: ' .$business_submission_date_and_time; echo '<br>';
		echo 'Business Name: ' .$business_name; echo '<br>';
		echo 'Business Zip: ' .$business_Zip; echo '<br>';
		echo 'Business Phone: ' .$business_phone; echo '<br>';
		echo 'Business Email: ' .$business_email; echo '<br>';
		echo 'Business Mobile: ' .$business_mobile; echo '<br>';
		echo 'Business Fax: ' .$business_fax; echo '<br>';
		echo 'Business Domain: ' .$business_domain; echo '<br>';
		echo 'Business Url: ' .$business_url; echo '<br>';
		echo 'Business Description: ' .$business_description; echo '<br>';
		echo 'Business Link: <a href=' .'"' .strip_tags($url) .'"' .'>' .'<b>' .$url .'</b>' .'</a>'; echo '<br>'; //Need to add your aided code on this line before echoing third party submitted links on my page. Your code needs to detect url structure and break them up into pieces and apply the appropriate php function (urlencode(), raw_urlencode(), htmlentities(), htmlspecialchars(), intval() on the appropriate pieces.
		//Error Messages for Production Mode only.
		echo 'Record fetching failed!';
		echo 'Error: ' .mysqli_stmt_error($stmt);
		echo 'Error: ' .mysqli_stmt_errno($stmt);

So, where I forgot to add any of these following necessaries, if any ?
urlencode(), rawurlencode(), intval(), htmlspecialchars(), htmlentities() Do I need to add these ?
On my echos, which one of these I have to add to foil the commenting crooks ? Can you amend my code and show me ?
You see, commenters may add their urls that have query parts.
Now, I got to auto add rawurlencode() on the file path and urlencode() and intval() on the query parts of the urls. I’m talking about the urls that would be echoed on my blog page. The outputted urls (user submitted urls).
We have to remember that, some user’s submitted urls will be static while ithers’ dynamic (?blah-blah1&blahh=blah2) and so got to write code that analyses the url (that it is about to be output on the page) and if any query parts exist then these url parts must be echoed via urlencode()/urldecode(), intval(), etc.

I talking about this bit:

echo 'Business Url: ' .$business_url; echo '<br>';

Above code is not good enough because that is only good to echo static urls. What if the url about to be echoed from db, url of a comment submitter, has query parts ? Then to be on safeside can’t just echo like this:

echo 'Business Url: ' .$business_url; echo '<br>';

Got to auto add rawurlencode() on the file path and urlencode() and intval() on the query parts of the urls before outputting them.

You want to be escaping your information before display. First thing you want to do is make sure you simply remove anything that shouldn’t be there. If the comment should not contain HTML tags, you can use something like strip_tags. If it should be only numbers, look for non numbers using something like a regular expression pattern (aka preg_match)

Once you have removed anything that you think shouldn’t be there from the start, the second thing you should look at is the function htmlentities. Make sure you also use the encoding parameter, even thought it is not required. It is always a good idea to make sure you use that. :slight_smile:

Thread closed as the OP is banned.