Using PHP to filter out injections and only return domain.tld

Question

So i'm having a hell of a time trying to figure out a way to sanitize input from a site to prevent URL injections, and only return domain.tld (google.com, etc)

Basically i've got a site i've created people can use to get a website's IP address (getwebsiteip.com) and i want to make sure i prevent any malicious injection and at the same time return only google.com no matter if they input http://google.com, https://google.com udp://google.com and so on. I do want to keep subdomains in tact, and technically www is a subdomain, and www.google.com could have a different A record than google.com does.

I'm just taking the URL from user input, checking the DNS record, and displaying it.

So i've tried a couple different methods and read around online but want to make sure i'm doing this the right way.

Read this site: http://www.phpro.org/tutorials/Filtering-Data-with-PHP.html

And the filtering does work, but you have to put in the http for it to validate, otherwise it does not.

I found this: http://snipplr.com/view.php?codeview&id=12616

Which does a good job of striping out the domain itself, but from everything i found it seems like it would take a lot of code to accomplish something that seems like it should be fairly simple.

In a perfect world, i would want users to only input subdomain.domain.com or domain.com, but if they use http:// or https:// i still want to strip that out and output the IP.

I also want to prevent anybody from trying to inject malicious code.

Can anybody point me in the right direction or help out? I think i've got a bald spot now from scratching my head too much :P

Answer 1

You need the parse_url function.

$url = 'https://www.example.com/path?googleguy=googley&foo[]=bar';
print parse_url($url, PHP_URL_HOST);
// prints www.example.com