URL编码和过滤清理输出问题

Question

I am trying to figure out why a sanitized string will be outputted differently than a non sanitized string when being URL encoded.

I don't know what this is called, but I've searched for URL encode and sanitization and tried google but I can't find any explanation.

I discovered this by accident after publishing a video, the problem is that I insert titles in the database, fetch them out and create a URL with it.

Sample URL (which does not work due to the problem)

localhost/proviin/video/kojima%26%2339%3Bs+cancelled+masterpiece+-+investigating+silent+hills/16

I made a single page test, to test what was going on and the behavior as you can see below.

How I need the outcome to be (but this is not sanitized):

$title = "Kojima's Cancelled Masterpiece - Investigating Silent Hills";
echo $title;
echo "<br>";
echo urlencode($title);

Outputs: (Which would work in the URL)

• Kojima's Cancelled Masterpiece - Investigating Silent Hills
• Kojima%27s+Cancelled+Masterpiece+-+Investigating+Silent+Hills

How it is

$title = sanitize("Kojima's Cancelled Masterpiece - Investigating Silent Hills", "str");
echo $title;
echo "<br>";
echo urlencode($title);

Outputs: (Which does not work in the URL, but is sanitized)

• Kojima's Cancelled Masterpiece - Investigating Silent Hills

• Kojima%26%2339%3Bs+Cancelled+Masterpiece+-+Investigating+Silent+Hills

Sanitize function

function sanitize($item, $type) {
    switch ($type) {
        case "str":
            return filter_var($item, FILTER_SANITIZE_STRING);
            break;
        case "mail":
            return filter_var($item, FILTER_SANITIZE_EMAIL);
            break;
        case "url":
            return filter_var($item, FILTER_SANITIZE_URL);
            break;
        case "int":
            return filter_var($item, FILTER_SANITIZE_NUMBER_INT);
            break;
        case "float":
            return filter_var($item, FILTER_SANITIZE_NUMBER_FLOAT);
            break;
        default:
            return false;
    }
}

As far as I know:

You sanitize data before inserting into the database.

You escape (htmlspecialchars) when you echo

But why is sanitized strings outputting differently when using urlencode() ?

If this is the normal behavior, how on earth do I sanitize strings before inserting them into a database table and use them in a URL with urlencode() ?

Answer 1

The main purpose of sanitizing before adding to a database is avoiding SQL injection. And one of vulnerable symbols is a single quote ' . That's why it is substituted by other symbol looking the same but without any impact to a database.

So when you sanitize, you substitute vulnerable symbols. And after URL encoding this symbols have different codes. To prevent incompatible URLs, encode strings always after sanitizing, or at least after the same actions.

Answer 2

When ever I use input text for a file name or folder I use this function to clean it up.

/* urlsafe - Return a URL safe string */
public static function urlsafe($t)
{
    $t = strtolower($t);
    $t = preg_replace( "/[^a-z0-9]/", " ", $t);
    $t = trim($t);
    $t = preg_replace("/[ ]+/", "-", $t);
    return($t);
}

Answer 3

You are double-escaping your strings. You should not pass the return value of your sanitize function to urlencode() . Both escape the data, but in different ways, so they cannot be chained like you're doing here (not that any escape function should be run twice anyway).

So no, you don't need to sanitize your data like this before you insert it into the database. You need to escape it using prepared statements so it comes back in the same way when returned from the database, ready for urlencode() or htmlentities() to work their magic. Unless you need the data stored in a specific way, in which case a preg_replace is probably better.

Also, be aware that user input should also not be unserialized() for the exact same reason: http://php.net/manual/en/function.unserialize.php