0

I have a URL shortner script which works fine until I submit a link containing "http://", which gives me a 403 error. I'm new to PHP so you're going to have to go easy on me. My site is http://newurl.us

First I tried using str_replace() to stop people from submitting it.

<input id="url" type="text" name="url" value="<?php echo htmlentities(str_replace("http://","",@$_GET['url'])) ?>" />

I also tried the same with "http%3A%2F%2F" instead of "http://" which didn't work.

Now I'm looking over the script to make it all happen, but I can't find the problem (possibly due to my noobinss). Is there something in the code preventing people from entering http:// ?

<?php
define('PHURL', true);
ini_set('display_errors', 0);
$prefix[0] = '';
?>
<?php
require_once("config.php");
require_once("functions.php");

db_connect();

if (count($_GET) > 0) {
    $url   = mysql_real_escape_string(trim($_GET['url']));
    $alias = mysql_real_escape_string(trim($_GET['alias']));

    if (!preg_match("/^(".URL_PROTOCOLS.")\:\/\//i", $url)) {
    $prefix = explode(":", $url);
    if ($prefix[0] == 'mailto') {
        $url = $url;
    } else {
        $url = "http://".$url;
    }
    }

    $last = $url[strlen($url) - 1];

    if ($last == "/") {
        $url = substr($url, 0, -1);
    }

    $data = @parse_url($url);
        if ($prefix[0] == 'mailto') {
            $data['scheme'] = 'mailto';
            $data['host'] = 'none';
        }
    if (strlen($url) == 0) {
        $_ERROR[] = "Please enter a URL to shorten.";
    }
    else if (empty($data['scheme']) || empty($data['host'])) {
        $_ERROR[] = "Please enter a valid URL to shorten.";
    }
    else {
        $hostname = get_hostname();
        $domain   = get_domain();

        if (preg_match("/($hostname)/i", $data['host'])) {
            $_ERROR[] = "The URL you have entered is not allowed.";
        }
    }

    if (strlen($alias) > 0) {
        if (!preg_match("/^[a-zA-Z0-9_-]+$/", $alias)) {
            $_ERROR[] = "Custom aliases may only contain letters, numbers, underscores and dashes.";
        }
        else if (code_exists($alias) || alias_exists($alias)) {
            $_ERROR[] = "The custom alias you entered already exists.";
        }
    }

    if (count($_ERROR) == 0) {
        $create = true;

        if (($url_data = url_exists($url))) {
            $create    = false;
            $id        = $url_data[0];
            $code      = $url_data[1];
            $old_alias = $url_data[2];

            if (strlen($alias) > 0) {
                if ($old_alias != $alias) {
                    $create = true;
                }
            }
        }

        if ($create) {
            do {
                $code = generate_code(get_last_number());

                if (!increase_last_number()) {
                    die("System error!");
                }

                if (code_exists($code) || alias_exists($code)) {
                    continue;
                }

                break;
            } while (1);

            $id = insert_url($url, $code, $alias);
        }

        if (strlen($alias) > 0) {
            $code = $alias;
        }

        $short_url = SITE_URL."/".$code;

        $_GET['url']   = "";
        $_GET['alias'] = "";

        require_once("html/header.php");
        require_once("html/index_form.php");
        require_once("html/index_done.php");
        require_once("html/footer.php");
        exit();
    }
}

require_once("html/header.php");
require_once("html/index_form.php");
require_once("html/footer.php");
2
Contributors
2
Replies
3
Views
5 Years
Discussion Span
Last Post by JorgeM
This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.