Home > Mobile >  Does chaining filter_input() and filter_var() cause the problem?
Does chaining filter_input() and filter_var() cause the problem?

Time:05-22

I have this url for testing

http://localhost:8000/2.php?site=https://google.com<script></script>

Then I am sanitizing "site":

$site = filter_input(INPUT_GET, 'site', FILTER_SANITIZE_URL);
var_dump($site); // string(35) "https://google.com"
echo "<br>";

Getting absolutely safe url. Then validating it:

$siteValidation = filter_var($site, FILTER_VALIDATE_URL);
var_dump($siteValidation); // bool(false)

And validation fails! Why?

enter image description here

CodePudding user response:

As you can read here, FILTER_SANITIZE_URL does not remove < or > from the string. That's why you see printed:

string(35) "https://google.com"

Clearly the string you see is not 35 chars long (inspect via developer tools in browser and you'll see the "script" part is still there).

That's why next lines fail to validate.

  • Related