zVirx Posted July 23, 2009 Share Posted July 23, 2009 Hello, I've been trying to validate a website name from a "form" .. but couldn't get around it some how, main function is i run the name of the website through a "nslookup" command with an "exec()" function on my server .. and check if the website is valid.. BUT this function is insecure because people might pipe commands through that and gain access to my server, I've tried it and was able to hack my own code :-\ So i thought i might run the name of the website through a tight regex first which will eliminate that exploit is there such regex ?! Thanks. Quote Link to comment Share on other sites More sharing options...
Wuhtzu Posted July 23, 2009 Share Posted July 23, 2009 You could first filter your input using a suitable regex and one of php's regular expression mathcing functions like preg_match: preg_match('/^(http:\/\/)?(www.)?([a-z0-9_-])+\.[a-z]{2,4}(\/[a-z0-9_.\/#?&=]*)?$/i', $url) which will do something like this: Valid: http://www.lol.dk/tis.html Valid: www.lol.dk/tis.html Valid: lol.dk/dild.html Valid: http://www.lol.dk/dild.html Valid: http://www.lol09-10.info/script.php?id=2&lol=nice#top Not valid: htp://www.newz.dk Not valid: <?php echo 'lol' ?> Just modify the regex to suit your needs - which TLD's to allow, whether or not to allow a file/path being specified and arguments being passed ect. Afterward you could use cURL instead of some dns look up via exec. cURL allows you to "visit remote pages", download their content, pass posts/gets to them and so on. So you could use it to request the page the user entered and check what http status code is returned. <?php $url = "www.phpfreaks.com"; $ch = curl_init(); // set URL and other appropriate options curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_NOBODY, 1); // grab URL and pass it to the browser curl_exec($ch); $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE); if($http_code == false) { $http_code = "look up failed"; } echo "$url - HTTP Code=$http_code"; // close cURL resource, and free up system resources curl_close($ch); ?> which will give something like: http://www.phpfreaks.com - HTTP Code=200 http://www.thiscantpossiblyexistbecauseofthenumbers1234567979892937475.com - HTTP Code=look up failed www.newz.dk - HTTP Code=301 http://wuhtzu.dk - HTTP Code=200 http://www.jalæwejkfaweihfneue.dk - HTTP Code=look up failed www.phpfreaksss.com - HTTP Code=look up failed That's how I would do it I think Quote Link to comment Share on other sites More sharing options...
zVirx Posted August 4, 2009 Author Share Posted August 4, 2009 Yay, iam gona implement that cURL part ^^ Thank Wuhtzu Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.