If URL contains X do Y

[r0b]

I'm facing a problem with a simple script I wrote. It has to write out an error if there's a "<" character in the url.

 

$url = basename($_SERVER['PHP_SELF']).$_SERVER['QUERY_STRING'];

if(strpos($url, "<") !== FALSE) //found
echo die ("error");

 

Which does the right thing for example:

 

example.com/< will output an error

while

example.com/?< doesn't output the error.

 

Does anyone have any idea how do make "<" display the error even if the ? (question mark) is in front of it.

[r0b]

I also know this would work (note I replaced < with ? this time):

 

if(strpos($url, "?") !== FALSE) //found
echo die ("error");

 

But I don't want to block the "?", I just want < to be blocked no matter what. (even if it has the question mark in front of it)

[r0b]

I think I'm getting closer to the problem, atleast an idea on how to solve this:

 

$ill = "<";
$ill .="?";
$url = basename($_SERVER['PHP_SELF']).$_SERVER['QUERY_STRING'];

if(strpos($url, $ill) !== FALSE) //found
echo die ("error");

 

What I'm trying to do here is, if the url containts both < and ?, show error, but still no luck.

 

Still trying to make the original idea work, to show error if < is used in an url, even if it has a ? in front of it. (Works perfectly if theres no ? in front of it).

[r0b]

Bumping without any code or ideas this time.

[r0b]

All this time I was applying this code to one page and testing on another. I changed the code to the appropriate page and expecting it work, but it still isn't doing what its supposed to.

 

Any more fresh ideas?

[PFMaBiSmAd]

Have you echoed $_SERVER['PHP_SELF'] and  $_SERVER['QUERY_STRING'] so that you would see what you are actually receiving?

[r0b]

Have you echoed $_SERVER['PHP_SELF'] and  $_SERVER['QUERY_STRING'] so that you would see what you are actually receiving?

 

No, to be honest, and by saying that I think you just solved my whole problem. Check end of the post for the (hopefully) last problem on this.

 

it gives out: (please mind I use .htaccess to change ?page=Pagename to just PageName)

 

index.phppage=PageName

 

This means, I have to add something in between, a question mark.

 

So the new code is: (just added the ? so it would proccess it correctly.

	$hostname = $_SERVER['PHP_SELF'];
$hostname = str_replace('index.php', '', $hostname);
$hostname = str_replace($page, '', $hostname);

$ill = "<";
$url = basename($_SERVER['PHP_SELF'])."?".$_SERVER['QUERY_STRING'];

it now outputs

index.php?page=PageName

 

Testing it out on the url: "example.com/PageName<" - Does  not display the error.

Testing out out with the questionmark "example.com/PageName?< - Does not display the error, but when echoed it shows "%3C"

 

Took it a step further and change the < in the PHP file to %3C.

index.php?page=PageName< finally displays the error, and later
index.php?page=PageName?< (finally displays the error)

while example.com/PageName< doesn't display the error anymore. (neither does adding <?)

 

It now displays error on the index.php? URLS but not on the regular /PageName.

 

I presume this is because of the < changing to %3C.

Is there any way I can define $ill is both < and %3C. (I know they're the same, but I think it would fix this.)

 

I'm trying

$ill = "%3C";
$ill .= "<";

 

But its still not doing the trick.

 

Thanks for the hude heads up PFMaBiSmAd.

[PFMaBiSmAd]

The %3C is a urlencoded value.

 

If you use urldecode on the parts of the URL, %3C will be converted back to a <

 

[r0b]

The %3C is a urlencoded value.

 

If you use urldecode on the parts of the URL, %3C will be converted back to a <

 

Thanks again for the tip.

 

Is there any way to attach more sings or words to the variable $ill if I wanted more of those? (example shown above)

 

$ill = "word1";
$ill .= "somethingelse";
$ill .= "!!!";
$url = basename($_SERVER['PHP_SELF'])."?".$_SERVER['QUERY_STRING'];

if(strpos($url, $ill) !== FALSE) //found
echo die ("error");