Security rules for links submitted by users in PHP

Question

I'm working on a project for a university. In each course, teachers are allowed to enter links they want the students to see. The teacher can also give permission to students to post links themselves.

However, you can literally enter anything into the text field, which means you can post malicious links, and of course I don't want that.

What are some good "rules" to keep you from posting anything? For example: I was thinking maybe searching the first part of the string for "http://", to make sure it isn't JavaScript or something else.

Thanks in advance.

Answer 1

what the problem is this?? :)

i mean:

$link = htmlentities($_POST['link']);
$link = str_replace('http://','',$link);
$link = 'http://'.$link;

echo $link;

as other sad ... you are in a circle of people with accounts ,just push into db what people do with a datetime and you always will know who,what,when ;)

Answer 2

I'm not sure you can, because if someone really want to hurt, he or she can create a normal web page that redirects to a malicious one... The best way to protect that is:

• Technically: use htmlentities to prevent people from entering javascript in the field and url_encode to be sure the characters are well encoded.
• Legally: write somewhere that the links can't be malicious.

Answer 3

You can test the input value with a regular expression.

Here's one that would match any valid URL address and nothing else:

/^(https?:\/\/)?([\da-z\.-]+)\.([a-z\.]{2,6})([\/\w \.-]*)*\/?$/

Here's how you can use it in PHP:

function validateURL($url)
{
    return preg_match("/^(https?:\/\/)?([\da-z\.-]+)\.([a-z\.]{2,6})([\/\w \.-]*)*\/?$/", $url);
}

Answer 4

Trying to filter input is going to prove fruitless as it is trivial to bypass, you need accountability. Since the context is a university course, you have a relative small group with verifiable identities — that makes accountability about as easy as it is ever going to get.

Just make sure that the users' names are associated with the links they post and remind people of the importance of protecting their login credentials.

If people post inappropriate material, then their account can be suspended or made read only, or some other measures can be taken.

I was thinking maybe searching the first part of the string for "http://", to make sure it isn't JavaScript or something else.

What if it is https://? What if the URL includes a & character?

Run the input through htmlentities. That will protect you against code that breaks HTML (both deliberate and unintentional).

Answer 5

Of course you should make sure that the link will be html escaped when you display it (use htmlentities() with utf-8 as charset).

Making sure there is a http:// at the beginning is of course a good idea to avoid javascript being executed when the user clicks the link.

After that, there's not much you can do from avoiding people posting malicious links.

Google redirects to a page first, with the link, and warns the user that he is going to be redirected to a potentially malicious website.

Answer 6

I would use strip_tags and htmlentities, then place any links within an <a> using preg_replace.

Answer 7

Yes, checking for the URL prefixes would definitely help. Also check for valid URL chars.

It can be done with PHP and Regex easily - http://phpcentral.com/208-url-validation-in-php.html

Hope that helps.