Sanitize address bar URL

Hi all,

It’s been a while, and I see that the site has been fully updated. Good stuff. I’m still a noob so please be gentle.

I want to know if someone can help me with the correct way to sanitize a URL which has been inputted manually into the address bar.

I need to know:

(a) How to get the URL. I have been using the following:

$url = (!empty($_SERVER['HTTPS'])) ? "https://".$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI'] : "http://".$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI'];

I’ve put this on the first line of my site.

I need to know if that will be enough, I’m obviously concerned as to when the site will be executing the code. It’s all this XSS malarky it scares me witless.

(b) Then I’m using the following:

var_dump(filter_var($url,FILTER_SANITIZE_SPECIAL_CHARS));

Is this enough sanitisation? (Sanitization). Will this work? I’ve not used this var_dump business before, and I thought I’d double check.

As always your help is much appreciated.

Drop the var_dump as that is used more on a debugging front. Also for sanitation of url’s it would be better to use a filter more closely related to your target such as “FILTER_SANITIZE_URL”.

I thought that, but then when I looked it seemed like sanitise URLs was more for ensuring that it was a valid URL rather than anything else. The actual sanitisation didn’t seem to sanitise potential XSS. I’m no expert that was my first glance impression. Is this correct do you know?