php, how to use strip_tags or urldecode on REQUEST_URI?

Question

i have a link that needs ti be cleaned up a bit.

http://'.$_SERVER["SERVER_NAME"]."".$_SERVER["REQUEST_URI"].'" />

this link will generate something like this:

http://www.site.com/friends.php

where friends.php is the $_SERVER["REQUEST_URI"] .

sometimes i pass an id to the link:

 http://www.site.com/friends.php?id=123456

what i want is to use strip_tags or urldecode to clean this link and make sure that whatever is passed in the id is an int and contains no letters, but i need to do it on the original link: http://'.$_SERVER["SERVER_NAME"]."".$_SERVER["REQUEST_URI"].'" />

edit:

i want the link to be cleaned out so i can't do this to it:

http://www.site.com/friends.php?id=<script>alert(TK00000006)</script>

Answer 1

This assumes that you only have id in your query string:

echo 'http://'.$_SERVER['SERVER_NAME']
    . $_SERVER['SCRIPT_NAME']
    .'?id='
    .filter_var($_GET['id'], FILTER_SANITIZE_NUMBER_INT);

Resulting id from id=<script>alert(TK00000006)</script> is ?id=00000006 .

---

Alternate answer:

echo 'http://'.$_SERVER['SERVER_NAME']
    . $_SERVER['SCRIPT_NAME']
    .'?id='
    .urlencode($_GET['id']);

//or effectively the same thing using only $_SERVER variables,
//but is much more robust as it handles multiple query parameters:
echo 'http://'.$_SERVER['SERVER_NAME']
    . $_SERVER['SCRIPT_NAME']
    .$_SERVER['QUERY_STRING'];

Resulting id from id=<script>alert(TK00000006)</script> is ?id=%3Cscript%3Ealert%28TK%29%3C%2Fscript%3E

Answer 2

If ID cannot be zero, I'd do it like this:

$id = (int)$_GET['id'];
if ($id)
...      // valid number > 0
else
...      // invalid