http_build_query and filter_input combined to generate secure query strings

M66 2025-06-22

In PHP development, constructing URL query strings is a very common task. http_build_query() is a powerful tool that quickly converts an array into a URL-encoded query string. However, in practice, we often need to retrieve parameters from user inputs. To safely handle these inputs, filter_input() is an essential function. When used together, these two functions can significantly enhance security while ensuring efficiency and preventing issues such as XSS and injection attacks.

1. http_build_query() Introduction

http_build_query() accepts an array and converts it into a URL query string that conforms to the RFC 3986 encoding format. For example:

  
$params = [  
    'search' => 'php',  
    'page' => 2  
];

$queryString = http_build_query($params); // Output: search=php&page=2

This function is perfect for concatenating query strings, and when combined with paths, it allows for the quick creation of redirect URLs:

  
$url = 'https://m66.net/search.php?' . $queryString;

2. The Role of filter_input()

When handling user inputs, one should not directly use $_GET or $_POST because unfiltered inputs may contain malicious content. filter_input() provides a standard interface for retrieving and sanitizing input data:

  
$search = filter_input(INPUT_GET, 'search', FILTER_SANITIZE_STRING);
  
$page = filter_input(INPUT_GET, 'page', FILTER_VALIDATE_INT);

In the above code, the search parameter is sanitized to ensure it is plain text, and the page parameter is validated as an integer.

3. Combining Both Functions

Suppose we want to construct a redirect URL based on user input. We want to extract parameters from the URL, validate and sanitize them, and then concatenate them into a secure query string. We can do this as follows:

  
$params = [];  
$search = filter_input(INPUT_GET, 'search', FILTER_SANITIZE_STRING);
  
if ($search !== null && $search !== false) {
  
$params['search'] = $search;
  
}  
$page = filter_input(INPUT_GET, 'page', FILTER_VALIDATE_INT);
  
if ($page !== null && $page !== false) {
  
$params['page'] = $page;
  
}  
$queryString = http_build_query($params);  
$redirectUrl = 'https://m66.net/results.php?' . $queryString;

// Perform redirect (example, do not use unvalidated direct redirects in production environments) header('Location: ' . $redirectUrl); exit;

In this way, we ensure that only valid and safe parameters are concatenated into the URL.

4. Defending Against XSS and Injection Attacks

Untrusted user input may contain malicious scripts, such as . By using filter_input() with FILTER_SANITIZE_STRING and FILTER_VALIDATE_* filters, we can remove dangerous characters or reject data types that don't meet the expected criteria, thus preventing such attacks.

Additionally, by only passing validated parameters to http_build_query(), the risk of injection is further reduced.

5. Conclusion

Although using http_build_query() to construct query strings is convenient, the parameters must first be fully validated. Combining it with filter_input() not only improves the code quality but also enhances the security of web applications. This combination should become a standard practice for developers, especially when constructing links from user input.