Sunday, 15 September 2013

php - filter_input() $_SERVER["REQUEST_URI"] with FILTER_SANITIZE_URL -



php - filter_input() $_SERVER["REQUEST_URI"] with FILTER_SANITIZE_URL -

i'm filtering $_server["request_uri"] such that:

$_request_uri = filter_input(input_server, 'request_uri', filter_sanitize_url);

as explained in php.net:

filter_sanitize_url

remove characters except letters, digits , $-_.+!*'(),{}|\^~[]`<>#%";/?:@&=.

however,

the browser sends request_uri value urlencode'd , hence not sanitized in filter_input() function. address is

http://www.example.com/abc/index.php?q=abc��123

and sanitized request url is

/abc/index.php?q=abc%ef%bf%bd%ef%bf%bd123

but should be

/abc/index.php?q=abc123

it possible urldecode($_server["request_uri"]) , using filter_var() can sanitized value.

$_request_uri = filter_var(urldecode($_server['request_uri']), filter_sanitize_url);

i don't know why lastly 1 seems me "inelegant" , i'm looking elegant way, sanitizing $_server["request_uri"].

maybe, accessing super global array straight ($_server['request_uri']) while coding disturbs me, "inelegant".

is there elegant way?

i think utilize either mod_rewrite or apaches setenv directive undecode url server side. have effect of changing request_uri in apache , consequently value of $_server["request_uri"] in php.

i dont solution, , dont want this. issues see:

it not allow multiple parameters may have different validation rules. it allows arbitrary parameters. it requires permissions user may not have , changes default server behavior. mod_rewrite seldom solution.

a good solution avoids global phone call filter_input or filter_input_array on input_get (instead of input_server).

$urlparameters = http_build_query( filter_input_array( input_get, filter_sanitize_url ) ); $_request_uri = filter_input(input_server, 'script_url', filter_sanitize_url). ($urlparameters ? "?{$urlparameters}" : ""); print_r($_request_uri);

a better solution whitelist specific parameters , utilize specific rules validation, , utilize these parameters straight (avoiding setting , parsing $_request_uri)

$_request_parameters = filter_input_array( input_get, array( 'q' => filter_sanitize_url, ) ); print_r($_request_parameters['q']);

php global-variables filtering input-sanitization request-uri

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)