Jump to content

Recommended Posts

Hello, I've been trying to validate a website name from a "form" .. but couldn't get around it some how,

 

main function is i run the name of the website through a "nslookup" command with an "exec()" function on my server .. and check if the website is valid..

 

BUT this function is insecure because people might pipe commands through that and gain access to my server, I've tried it and was able to hack my own code :-\

 

So i thought i might run the name of the website through a tight regex first which will eliminate that exploit

is there such regex ?!

 

Thanks.

Link to comment
https://forums.phpfreaks.com/topic/167142-solved-website-validation/
Share on other sites

You could first filter your input using a suitable regex and one of php's regular expression mathcing functions like preg_match:

 

preg_match('/^(http:\/\/)?(www.)?([a-z0-9_-])+\.[a-z]{2,4}(\/[a-z0-9_.\/#?&=]*)?$/i', $url)

 

which will do something like this:

 

Valid: http://www.lol.dk/tis.html

Valid: www.lol.dk/tis.html

Valid: lol.dk/dild.html

Valid: http://www.lol.dk/dild.html

Valid: http://www.lol09-10.info/script.php?id=2&lol=nice#top

Not valid: htp://www.newz.dk

Not valid: <?php echo 'lol' ?>

 

Just modify the regex to suit your needs - which TLD's to allow, whether or not to allow a file/path being specified and arguments being passed ect.

 

Afterward you could use cURL instead of some dns look up via exec. cURL allows you to "visit remote pages", download their content, pass posts/gets to them and so on. So you could use it to request the page the user entered and check what http status code is returned.

 

<?php

$url = "www.phpfreaks.com";
$ch = curl_init();

// set URL and other appropriate options
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_NOBODY, 1);

// grab URL and pass it to the browser
curl_exec($ch);

$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

if($http_code == false) {
$http_code = "look up failed";
}

echo "$url - HTTP Code=$http_code";

// close cURL resource, and free up system resources
curl_close($ch);

?>

 

which will give something like:

 

http://www.phpfreaks.com - HTTP Code=200

http://www.thiscantpossiblyexistbecauseofthenumbers1234567979892937475.com - HTTP Code=look up failed

www.newz.dk - HTTP Code=301

http://wuhtzu.dk - HTTP Code=200

http://www.jalæwejkfaweihfneue.dk - HTTP Code=look up failed

www.phpfreaksss.com - HTTP Code=look up failed

 

That's how I would do it I think :)

 

 

  • 2 weeks later...
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.