safe user form imput method

[richardjh]

I have a form which includes a one line form input box for letting users add a link to another website. The website URL ALWAYS begins the same (e.g. http://www.theexternalwebsite.com/..) but it then contains a long string (to the relevant pages). I want to validate the form so that the user can only add this domain name and if he tries to add any other domain name he blows up.. erm I mean gets a rejected message.

 

So:

http://www.theexternalwebsite.com/6373737nnvv/44?-22-d-f&.. will be accepted

but

http://www.notannicesite/6373737nnvv/44?-22-d-f&.. would be refused.

 

I've been trying to do this using preg_match and eregi functions like:

if (!eregi("^[http://thesite.com/]+[a-z.]$",$url)) { 
echo 'wrong URL'; 
} else {
allow this url into the database
}

 

thank you for your help

 

R

[Ken2k7]

You can just use $SERVER['HTTP_HOST'] I think. Then check that.

[teng84]

or maybe this

$path = "http://www.theexternalwebsite.com/6373737nnvv/44?-22-d-f&..";
echo  dirname($path);

[richardjh]

Well, you see each link will be different but the domain will be the same. Hence i want any link that starts with the given domain (e.g. http://www.myspace.com...) to be allowed but no other domain name. Then when a user adds say their own link to their myspace page (example only I'm not actually linking to myspace) the link will be recognised as being a good link but if they try adding a link to any other domain name (say a link to their facebook page) it will be deemed no good.

 

thanks

 

[teng84]

have you tried my post?

[PC Nerd]

not sure about teng84's suggestion - and i dont know that function - however you coudl always search for a ? and / - which usually finds the end of teh domain name and begining of directories or GET info -

 

all you would have o do is split the string at that point - and compare the first section to your own domain name.

 

you may als owant to addin different features - so that a person can add:  domain.com/..... AND www.domain.com/... AND http://www.domain.com/...  - then validate those different inputs - using roughyl the same method

 

 

good luck

[redarrow]

<?php 
$url="http://www.msn.co.uk";
if(eregi("^(http://www.)[a-z]{0,100}\.+(com|net|co.uk)$",$url)) { 
echo 'correct url'; 
} else {
echo"wrong url";
}
?>

[richardjh]

or maybe this

$path = "http://www.theexternalwebsite.com/6373737nnvv/44?-22-d-f&..";
echo  dirname($path);

 

teng, your code outputs more than just the domain, I tried it and it echos the domain plus the directory of the link. For instance This:

http://www.theexternalwebsite.com/dp/0593058003/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1199739941&sr=8-1

outputs as:

http://www.theexternalwebsite.com/dp/0593058003/

 

whereas I want just

http://www.theexternalwebsite.com

 

 

 

 

[Ken2k7]

What about mine?

 

$_SERVER['HTTP_HOST']

[richardjh]

Ken

I'm not sure how to work that in to a code to do the checking.

 

would it be better/easier to attempt to validate the string by checking the first say 30 characters to see if they match the first 30 characters of the url?

 

[richardjh]

righto,

after much scratching of head, I now have this bit of code which i've added to form validate and *seems* to work:

 

  if (!preg_match ("/http:\/\/www\.myspace(.*)\.(.*)/i", $url)) { 
die ('Sorry, this isn\'t an acceptable link'); 
}

 

Could anyone see any problems/bugs with using this code? it stops ANY URL from getting through unless it matches http://www.myspace.com/whatever?whatever..etc << using myspace as an example here.

 

thanks for advice

 

[teng84]

if you only need to match if the path is form your desired root maybe you dont need that regex simply use

strchr(string,search)  maybe not that accurate but easier and faster

[richardjh]

I'll have a go teng,

 

Thanks for info.

[toplay]

righto,

after much scratching of head, I now have this bit of code which i've added to form validate and *seems* to work:

 

  if (!preg_match ("/http:\/\/www\.myspace(.*)\.(.*)/i", $url)) { 
die ('Sorry, this isn\'t an acceptable link'); 
}

 

Could anyone see any problems/bugs with using this code? it stops ANY URL from getting through unless it matches http://www.myspace.com/whatever?whatever..etc << using myspace as an example here.

 

thanks for advice

 

Expressions is the way to go, but your expression will allow http://www.myspace.net (not .com) and http://www.myspacesomethingelse.com (different domain name altogether).

 

I recommend anyone working with expressions to buy:

http://www.regexbuddy.com

 

 

[richardjh]

toplay,

can you give me a pointer as to how to construct the expression to rectify this please?

 

 

[toplay]

Well, I don't know how tight you want to make the checking, that's why I recommend that you try it out yourself by using programs such as regexbuddy.

 

Anyway, the following expression is a basic one where it asserts that at the beginning of the string it must have http://www.myspace.com or https://www.myspace.com. It doesn't care what might be after the .com. It just depends how thorough you want to validate things.

 

'/^https?:\/\/www\.myspace\.com/i'

 

[Daukan]

Would parse_url do the trick?