How to properly sanitize URL as a link in PHP?

This is outdated now :

I am using the PHP function filter_var($_POST['url'], FILTER_VALIDATE_URL) to validate the URL before adding it to database using prepared statement.

Instead of FILTER_VALIDATE_URL

you can use the following trick :

$url = "your URL" $validation = "/^(http|https|ftp):\/\/([A-Z0-9][A-Z0-9_-]*(?:\.[A-Z0-9][A-Z0-9_-]*)+):?(\d+)?\/?/i"; if((bool)preg_match($validation, $url) === false) echo 'Not a valid URL'; 

I think it may works for you. All the best :)

After sanitizing, the URL Use, XSS related scripts, just change %2f character using

str_replace('%2f', '/', $result) after your your code, but before the filter_var() and it will change it back to its original character. So, your script can go on.

Do not allow urls with tags.

A user inserting a tag to a url means its probably malicious. Having "homepages" containing tags is just wrong.