Ι don't know how to well write this. I am trying to make a .php file with the name copy_from_url_=_.php. Then, I'd like as soon as user enters an url before dot, the contents of the specific url to be displayed on the above .php site.
Example: I go to url copy_from_url_=_.php. Nothing is displayed because no url is given. Then I retype copy_from_url_=_www.example.com.php and the contents of www.example.com are displayed on my php url.
I know the second part that can be done with the file_get_contents function but I miss the first part. Any ideas?
Validate the $_GET value. This will tell you if anything is there (and is a valid format)
if( filter_var($_GET['copy_from_url'], FILTER_VALIDATE_URL) ) {
//URL given!
//Either use cURL or file_get_contents
} else {
//No url given
}
The the sake of readability/niceness/OCD, I would remove the ending .php. It'll help the end-user experience quickly identify where they are coping from. However, if you don't want to, do the following;
$strUrl = rtrim($_GET['copy_from_url'], '.php');
if( filter_var($strUrl, FILTER_VALIDATE_URL) ) {
https://eval.in/200283
Related
Very probably this is impossible, but I want to ask it, just in case.
I have a database in which I save some numbers (1, 2, 3...).
I have a .php page from which I read the numbers. I concat those numbers to a string for getting a full URL. For exmaple:
$intArticle = $row["article"];
$strURLBase = "example.com/index.php/"
$strLink = $strURLBase . $intArticle;
//And I get "example.com/index.php/1"
But now, there is an exception in which the URL points to an external website, so my code is not valid for now.
I know how to fix it in .php, but I would like to know if it is possible to make the redirect directly inside the URL, saving the properly string inside the database. For example:
$intArticle = $row["article"]; //In this case, the value of $row["article"] could be, for example, "http://www.externalweb.com"
$strURLBase = "example.com/index.php/" //This part should be ignore inside the URL
$strLink = $strURLBase . $intArticle;
//I would get "example.com/index.php/http://www.externalweb.com"
Is there any kind of instruction that I could write inside the URL (that I would save into the database and then I would concat to $strURLBase) that redirects to another URL? For example:
example.com/index.php/!$%&_redirec_to("http://www.externalweb.com")
I don't want to call any PHP function from the URL for the redirection. In fact any PHP code shouldn't be executed. Everything should be inside the URL.
Try this:
if (!is_numeric($intArticle))
{
header("Location: ".$strLink."");
exit;
}
// your site will continue here, if the article is a number
My url is www.mysite.com/properties/property-1-someplace
The /property-1-someplace/ is dynamically generated.
I'm writing an if statement that asks if the url is properties/property-1-someplace then execute code, but property-1-someplace is generated by wordpress and thus is constantly changing.
How can I target pages that are in the properties directory, but access the url afterwards if I don't know what that url is?
I can use the PHP variable $pagename but that does not address the properties part of the url.
If I could do <?php if (is_page( 'property/*.*' ) ): that would be perfect.
Any ideas?
EDIT:
Sorry I misunderstood your question, here is what you are probably looking for. Note that you may have to change the regular expression pattern to /^properties/ depending on the value of $pagename. If $pagename contains the whole URL (e.g. with domain name) then you will need to update the code with the domain name.
if( preg_match( '/^\/properties/', $pagename ) ) {
// Do your stuff here.
}
Ok so when somebody types this into the URL mywebsite.com/?s1=affiliateid
I want to take the affiliateid part out of the URL. Every affiliate will put a different username into the address.
Then I want to create a link will point to differentwebsite.com/?id=affiliateid based on the username typed into the address bar.
Now so far, I know that I have to have something like this will get that affiliate id
$aff_id = $_GET['s1'];
Then I can use that variable to create a link or just redirect it to the next page
differentwebsite.com/?id=$aff_id
My question is, where do I place this code at? $aff_id = $_GET['s1'];
Do I have to make a page called ?s1.php or something?
Assuming s1 isn't used anywhere else but just to create a link:
<?php
$s1 = isset($_GET['s1']) && !empty($_GET['s1'])
? $_GET['s1'] // it's populated, use the passed value
: ''; // default value in case it's not present
//
// Maybe check $s1 is indeed valid
//
$newurl = sprintf('http://differentwebsite.com/?id=%s', urlencode($_GET['s1']));
?>
Then you can output that link somewhere on the page, like:
New Url Here
urlencode will make sure that if s1 has characters like &, =, ?, / (or others) it won't break the integrity of the url.
If you want the concise approach:
<a href="http://differentwebsite.com/?id=<?= urlencode($_GET['s1']); ?>">
New Url Here
</a>
You could place $aff_id = $_GET['s1'] anywhere before you want to use $aff_id. I tend to put stuff like that at the top of the page.
Or, simply put. "differentwebsite.com/?id=$_GET['id']"
I would suggess you do a check to see if the id parameter exists in the URL before you try to use it. Maybe even make sure it is the data type you expect, integer, string, etc. So as when you redirect users, you don't send them somewhere else in a broken way.
If you are not using this for SQL then no SQL Injection could occur #BlackHatShadow.
Append the $aff_id that you get from mywebsite.com to the url of the new web site. Presumably, $newurl = "differentwebsite.com/?id=".$aff_id.
Edit:
Do I have to make a page called ?s1.php or something?
You need to make a page that the user will land on when they hit the url: www.mywebsite.com/
I assume you are running a web server that can process PHP code. The code can go into a file called index.php in your server's document root directory. If you don't know what this is, I suggest googling a "how to" guide for your specific server.
Get the value of "s1" from the url and store it in $aff_id:
$aff_id = $_GET['s1'];
If you want to pass this variable into another web site which accepts an "id" parameter, then you can simply append $aff_id to the new web URL and redirect the user there.
Redirect the user to differentwebsite.com and also sends the $aff_id from mywebsite.com to the other URL:
header('Location: http://www.differentwebsite.com/?id='.$aff_id);
So I made a script so that I can just use includes to get my header, pages, and then footer. And if a file doesnt exist a 404. That all works. Now my issue is how I'm supposed to get the end of the url being the page. For example,
I want to make it so that when someone goes to example.com/home/test, it will automatically just include test.php for example.
Moral of the story. How to some how get the page name. And then use it to "mask" the end of the page so that I don't need to have every URL being something.com/home/?p=home
Heres my code so far.
<?php
include($_SERVER['DOCUMENT_ROOT'].'/home/lib/php/_dc.php');
include($_SERVER['DOCUMENT_ROOT'].'/home/lib/php/_home_fns.php');
$script = $_SERVER['SCRIPT_NAME']; //This returns /home/index.php for example =/
error_reporting(E_ALL);
include($_SERVER['DOCUMENT_ROOT'].'/home/default/header.php');
if($_GET["p"] == 'home' || !isset($_GET["p"])) {
include($_SERVER['DOCUMENT_ROOT'].'/home/pages/home.php');
} else if(file_exists($_SERVER['DOCUMENT_ROOT'].'/home/pages/'.$_GET["p"].'.php')) {
include($_SERVER['DOCUMENT_ROOT'].'/home/pages/'.$_GET["p"].'.php');
} else {
include($_SERVER['DOCUMENT_ROOT'].'/home/default/404.php');
}
include($_SERVER['DOCUMENT_ROOT'].'/home/default/footer.php');
?>
PHP by itself wouldn't be the best choice here unless you want your website littered with empty "redirect" PHP files. I would recommend looking into the Apache server's mod_rewrite module. Here are a couple of guides to get you started. Hope this helps!
The simplest way would be to have an index.php file inside the /home/whatever folder. Then use something like $_SERVER['PHP_SELF'] and extract the name if you want to automate it, or since you are already writing the file yourself, hardcode it into it.
That however looks plain wrong, you should probably look into mod-rewrite if you are up to creating a more complex/serious app.
I would also recommend cakePHP framework that has the whole path-to-controller thing worked out.
I have this very simple script that allows the user to specify the url of any site. The the script replaces the url of the "data" attribute on an object tag to display the site of the users choice inside the object on the HTML page.
How could I validate the input so the user can't load any page from my site inside the object because I have noticed that it will display my code.
The code:
<?php
$url = 'http://www.google.com';
if (array_key_exists('_check', $_POST)) {
$url = $_POST['url'];
}
//gets the title from the selected page
$file = # fopen(($url),"r") or die ("Can't read input stream");
$text = fread($file,16384);
if (preg_match('/<title>(.*?)<\/title>/is',$text,$found)) {
$title = $found[1];
} else {
$title = "Untitled Document";
}
?>
Edit: (more details)
This is NOT meant to be a proxy. I am letting the users decide which website is loaded into an object tag (similar to iframe). The only thing php is going to read is the title tag from the input url so it can be loaded into the title of my site. (Don't worry its not to trick the user) Although it may display the title of any site, it will not bypass any filters in any other way.
I am also aware of vulnerabilities involved with what I am doing that's why im looking into validation.
As gahooa said, I think you need to be very careful with what you're doing here, because you're playing with fire. It's possible to do safely, but be very cautious with what you do with the data from the URL the user gives you.
For the specific problem you're having though, I assume it happens if you get an input of a filename, so for example if someone types "index.php" into the box. All you need to do is make sure that their URL starts with "http://" so that fopen uses the network method, instead of opening a local file. Something like this before the fopen line should do the trick:
if (!preg_match('/^http:\/\//', $url))
$url = 'http://'.$url;
parse_url: http://us3.php.net/parse_url
You can check for scheme and host.
If scheme is http, then make sure host is not your website. I would suggest using preg_match, to grab the part between dots. As in www.google.com or google.com, use preg_match to get the word google.
If the host is an ip, I am not sure what you want to do in that situation. By default, the preg match would only get the middle 2 numbers and the dot(assuming u try to use preg_match to get the sitename before the .com)
Are you aware that you are creating an open HTTP proxy, which can be a really bad idea?
Do you even need to fetch the contents of the URL? Why don't you let your user's browser do that by supplying it with the URL?
Assuming you do need to fetch the URL, consider validating against a known "whitelist" of URLs. If you can't restrict it to a known list, then you are back to the open proxy again...
Use a regular expression (preg) to ensure it is a good HTTP url, and then use the CURL extension to do the actual request.
Mixing the fopen() family of functions with user supplied parameters is a recipe for potential disaster.
You could use PHP filter.
filter_var($url, FILTER_VALIDATE_URL) or
filter_input(INPUT_POST, 'url', FILTER_VALIDATE_URL);
http://php.net/manual/en/function.filter-input.php
Also try these documents referenced by this PHP wiki post related to filter
https://wiki.php.net/rfc/add_validate_functions_to_filter?s[]=filter
by Yasuo Ohgaki
https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices
https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide
http://cwe.mitre.org/top25/mitigations.html