I have a page like this. User write an URL into a form and

Question

0

Asked: May 30, 20262026-05-30T15:32:56+00:00 2026-05-30T15:32:56+00:00

I have a page like this. User write an URL into a form and

0

I have a page like this. User write an URL into a form and submit. Once the URL is submitted, I connect that page with CURL, search for a string. If it finds the string, it adds URL into our database. If not, it gives an error to user.

I sanitize URL with htmlspecialchars() also a regex to allow A-Z, 1-9, :/-. symbols. I also sanitize the content retrieved from other website with htmlspecialchars() also.

My question is, can they enter an URL like;
http://www.evilwebsite.com/shell.exe or shell.txt

Would PHP run it, or simply look for the HTML output? Is it safe as it is or if not, what should I do?

Thank you.

Ps. allow_url_fopen is disabled. That’s why I use curl.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-30T15:32:57+00:00

Editorial Team

2026-05-30T15:32:57+00:00Added an answer on May 30, 2026 at 3:32 pm

I don’t see why htmlspecialchars or a Regex would be necessary here, you don’t need those. Also, there is no way that PHP will “automatically” parse the content retrieved using cURL. So yes, it is save (unless you do stuff like eval with the output).

However, when processing the retrieved content later, be aware that the input is user-provided and needs to be handled accordingly.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I have a page like this. User write an URL into a form and

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply