I am wondering if this is a proper way to check, if a string contains nothing but an URL:
if (stripos($string, 'http') == 0 && !preg_match('/\s/',$string)) {
do_something();
}
stripos() checks if the string starts with "http"
preg_match() checks if the string contains spaces
If not so, I assume that the string is nothing but an URL - but is that assumption valid? Are there better ways to achieve this?
Use filter_var()
if (filter_var($string, FILTER_VALIDATE_URL)) {
// you're good
}
The filters can be even more refined. See the manual for more on this.
In PHP there is a better way to validate the URL:
http://www.php.net/manual/en/function.filter-var.php
if(filter_var('http://example.com', FILTER_VALIDATE_URL)) {
echo 'this is URL';
}
To more securely validate URLs (and those 'non-ascii' ones), you can
Check with the filter (be sure to check the manual on which filter suits your situation)
Check to see if there are DNS records
$string = idn_to_ascii($URL);
if(filter_var($string, FILTER_VALIDATE_URL) && checkdnsrr($string, "A")){
// you have a valid URL
}
Related
I am using the strpos function to validate a url that is submitted by a user and I want to make sure I'm not missing anything that would allow the user to bypass the validation and submit a url that is inappropriate.
Take the following as an example, if I only want a user to be able to input a url associated with the youtube domain, I don't want them to be able to put a wildcard (*) or something in that would "trick" the strpos function.
$url = $request->input('url');
// Check if Youtube url is found
if (strpos($url, 'http://youtube.com') > -1)
{
// some code
}
// some code
Thanks!
strpos returns false when in a not found condition and 0 if the string appears in the first column, which also looks like false to PHP, so it would be more accurate to use === or !==
$url = $request->input('url');
// Check if Youtube url is found
if (strpos($url, 'http://youtube.com') !== FALSE)
{
// some code when youtube is found in url
}
You would be better off using a Regular expression.
^(https?\:\/\/)?(www\.)?(youtube\.com|youtu\.?be)\/.+$
Try it out.
Remember to test with type safe equation.
strpos will find the position of first occurrence in the string. So
if there is a match in the beginning of string (position 0)
if (strpos($url, 'http://youtube.com') > -1)
will return 0 which will be interpreted as false. You're in trouble here.
Instead, do it type safely:
if (strpos($url, 'http://youtube.com') !== false)
This means no matter where in the string your substring is found, it will be considered true and you know there is a match.
My latest issue involves trying to find "http://" in a variable. This variable contains the contents of a comments section on a clients website. I have seen all kinds of answers but none of them seem to work. I looked at a few other posts on here and I have yet to get the best answer. Here is what I have so far:
if(strpos($comments, 'http://') == true) {
// Does stuff here
}
I noticed other people use preg_match and some said to do it in an array. I am getting confused, too many options. Just kidding. I would like some clarification though and any advice would be greatly appreciated.
You'll need to say:
if(strpos($comments, 'http://') !== false) {
...since it can return 0 (which is falsey) if http:// is at the beginning of the string.
NOTE: This will only find the first occurrence of http:// in the string.
Take a close look at the reference: http://php.net/manual/en/function.strpos.php
You need to change code like that:
if(strpos($comments, 'http://') === false) {
//no link
}
because strpos return integer which is position your string.
Example:
full string: "http://stackoverflow.com hello"
you finding: "http"
Naturally it return 0.
But
full string: "ahttp://stackoverflow.com"
you finding: "http"
it return 1.
So you must use === operator to check is really 'boolean false'.
If you try to check with == operator, you maybe get fail because it get 0 as false.
more detail: http://php.net/strpos
I found this was a better match: (recommended by phpstorm ide)
if(str_contains($e, '1062 Duplicate entry')) {
}
This is an easy one. There seem to be plenty of solutions to determine if a URL contains a specific key or value, but strangely I can't find a solution for determining if URL does or does not have a query at all.
Using PHP, I simply want to check to see if the current URL has a query string. For example: http://abc.com/xyz/?key=value VS. http://abc.com/xyz/.
For any URL as a string:
if (parse_url($url, PHP_URL_QUERY))
http://php.net/parse_url
If it's for the URL of the current request, simply:
if ($_GET)
The easiest way is probably to check to see if the $_GET[] contains anything at all. This can be done with the empty() function as follows:
if(empty($_GET)) {
//No variables are specified in the URL.
//Do stuff accordingly
echo "No variables specified in URL...";
} else {
//Variables are present. Do stuff:
echo "Hey! Here are all the variables in the URL!\n";
print_r($_GET);
}
parse_url seems like the logical choice in most cases. However I can't think of a case where '?' in a URL would not denote the start of a query string so for a (very minor) performance increase you could go with
return strpos($url, '?') !== false;
Over 1,000,000 iterations the average time for strpos was about 1.6 seconds vs 1.8 for parse_url. That being said, unless your application is checking millions of URLs for query strings I'd go for parse_url.
Like this:
if (isset($_SERVER['QUERY_STRING'])) {
}
I know HTTP_REFERER is not safe as a security measure, but I still want to know.
How can I check if the value of HTTP_REFERER contains www.someexample.com even though it may be www.someexample.com/awards/user/145??
if (false !== stripos($_SERVER['HTTP_REFERER'], "www.someexample.com")){
//do stuff
}
if( stripos($_server['HTTP_REFERER'], 'someexample.com') !== FALSE ) {
// The link is from someexample.com (might not have "www" in it)
}
Note: This'll also match http://www.andsomeexample.com. If you want to prevent that, use parse_url:
if( parse_url($_SERVER['HTTP_REFERER'])['host'] == 'someexample.com'){
// You're good to go...
}
echo parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST);
If using Apache, simply perform a preg_match on $_SERVER['HTTP_REFERER']
I have a PHP script that checks the HTTP Referer.
if ($_SERVER['HTTP_REFERER'] == 'http://www.example.com/') {...}
However, this seems inherintly unsafe ... because what happens if the user goes to 'http://example.com/' or 'http://www.ExaMple.com' (both of which don't match the equality test).
Question: what's a better equality test to ensure that the HTTP Referer is coming from 'example.com' ?
parse_url() combined with a bit of string juggling should do what you want. Try this:
$url = parse_url($_SERVER['HTTP_REFERER']);
//take the last two 'dot segments' of the host
$hostOnly = implode('.',array_slice(explode('.',$url['host']),-2));
if (strtolower($hostOnly) == 'example.com') {
//stuff
}
Note that parse_url() can fail on badly formed URLs, so you might want to add some error checking to be safe. HTTP_REFERER could easily be filled with junk.
Obligatory response: HTTP_REFERER can be spoofed so there is no way to be 100% sure anyone came from a specific website.
However if you do want to rely on it you can use a regex to look for "example.com" in the HTTP_REFERER. stristr() would also work, and probably would be recommended since it would be faster then a regex. It's also case insensitive so it would match "ExaMple.com" as well as 'example.com".
Hope you don't check it for anything significant.
you can use parse_url() function to get hostname part and to check if HTTP_REFERER contain actually an url.
you can also just substr www. from hostname.
character case is not important as it's always lowercase
or use a regexp.
Using a regex, this would become
if(preg_match("%(http://)?(www\.)?example\.com(/)?%i",$_SERVER['HTTP_REFERER'])) { ... }
if (strtolower($_SERVER['HTTP_REFERER']) == 'http://www.example.com/') {...}
How about...
$parts = explode('/',$_SERVER['HTTP_REFERER']);
if (in_array('example.com',$parts) || in_array('www.example.com',$parts)) {...}