Databases
StackOverflow2013
Postsdbo
POCheck the redirection address to be the site itself - PHP
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POCheck the redirection address to be the site itself - PHP
    text
    copied!<p>I have a multilingual website, the change language functionality works like this:</p> <pre><code>change_lang.php?lang=en&amp;return=www.example.com/pages/etc </code></pre> <p>in change_lang.php I read the <code>$_GET['return']</code> and <code>$return_addr = $_GET['return']</code> then use <code>header("location:" . $return_addr)</code> to send the user back to the place he was, now Imagine someone wants to pollute the return address:</p> <pre><code>change_lang.php?lang=en&amp;return=www.HACKER-SITE.com/virus.exe </code></pre> <p>For preventing this, I want to limit the <code>$return_addr</code> value to only local machine(server), my code is:</p> <pre><code>&lt;?php if(substr(BASE_URL, 0, 8) == 'https://'){ $start_len = 8; $return_http = 'https://'; } else{ $start_len = 7; $return_http = 'http://'; } $http_extracted_base_url = substr(BASE_URL, $start_len); if(substr($http_extracted_base_url, 0, 10) == substr($return, 0, 10)){ // OK }else{ // NOT OK exit(); } ?&gt; </code></pre> <p><code>BASE_URL</code> is a defined value of my domain, like <code>http://example.com</code>, the above code works well when the user is not using "www" in his address, but when he does, I need to check another thing on my code, all of this must have a better solution, and that's my question; how I'm supposed to check if the return URL is going back to the site itself, I don't want to check http<code>s</code> r www, or also we may want to have another domain in future parked on our site, so some users may use the second address and the above code fails since <code>BASE_URL</code> is defined as the first domain.</p> <p>P.S: I don't want to <code>PING</code> the domain of return address, execution functions are disabled on the server.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload