PHP $ _SERVER ['HTTP_HOST'] escaping, does this look acceptable?

Question

I just found out about escaping things and started reading about how risky it would be to use $_SERVER['HTTP_HOST']because of XSS attacks.

I came up with this and wondered if I could get some feedback on my attempt.

htmlspecialchars(
    filter_var( $_SERVER[ 'HTTP_HOST' ], FILTER_SANITIZE_URL ),
    ENT_QUOTES, 'UTF-8'
)

Does it look good?

So much depends on how secure this single variable is, I just needed to request input.

EDIT:

I will use this to display on the entire site, including the basic hrefs bindings, action forms, etc.

+3

Jeff Sep 22 '09 at 19:32

2 answers

, . , htmlspecialchars. , mysql_real_escape_string mysql. ( )

+3

erenon 22 . '09 19:35

Annika Backstrom · Accepted Answer · 2009-09-22T20:05:25+0000

Different screening functions should be used for different situations, for example:

urlencode , <a>, .. echo '<a href="index.php?foo=' . urlencode($foo) . '">'; (. http_build_query)
mysql_real_escape_string , SQL ( )
htmlentities , , HTML (. strip_tags)