Search code examples
phpvar-dumpfilter-var

var_dump filter_var FILTER_SANITIZE_URL return behaviour

here I am baffled as to why FILTER_SANITIZE_URL in var_dump returns a wrong string length and doesnt remove the tags such as . this happenes in all filter_var Predefined Filter Constants. is this a bug or there is a logic behind it?

I am using PHP 5.4 because I have to, our servers run on it. let me demonstarte. I have this URL:

$url = 'http://www.example.com/index.php?a=1&b=2&c=3&d=some%20string';

if I sanitise it and var_dump it:

var_dump(filter_var($url, FILTER_SANITIZE_URL));

it will return:

string(60) "http://www.example.com/index.php?a=1&b=2&c=3&d=some%20string"

NOW if I put malicious code in URL

$url = 'http://www.example.com/index.php?
<script>
function myFunction() {
    var x = "<?php echo $var; ?>";
    alert(x);

}
</script>a=1&b=2&c=3&d=some%20string';

same code: var_dump(filter_var($url, FILTER_SANITIZE_URL)); will return this:

string(132) "http://www.example.com/index.php?a=1&b=2&c=3&d=some%20string"

Pay attention to the type and length of returned var. 72 characters more than the previous but clearly the string is still 60 characters long. why does var_dump or filter_var behave in such manners please? if it is a bug has this been fixed. as I record these type of data I need this function to return exact number of characters.

Solution

  • FILTER_SANITIZE_URL removed all unnecessary characters from the URL, including spaces, if you check view source it shows 

    <script>functionmyFunction(){varx="<?phpecho$var;?>";alert(x);}</script>

    Why return 132 characters?

    Because <script> tag and inner code also included as a string. FILTER_SANITIZE_URL does not remove tags it just removes spaces and This filter allows all letters, digits and 

    $-_.+!*'(),{}|\\^~[]`"><#%;/?:@&=

    to remove malicious code use other functions such as strip_tags().

    $var = filter_var(strip_tags($url), FILTER_SANITIZE_URL);

    If code included as string then why not display?

    Because you are using var_dump and checking result on browser, and you can not view any code inside <script> tag on browser until unless go to page view source.

    If you remove <script> tag, what should be happened?

    If you removed <script> tag, than it will show following:

    string(115) "http://www.example.com/index.php?functionmyFunction(){varx="";alert(x);}a=1&b=2&c=3&d=some%20string"

    17 characters of <script></script> should be removed.