PHP External Link Help_问答_开发者_运维开发者技术经验分享

Hi I have the following page which sets a cookie with the current URL and also a simple external link.

<?php

function pageURL()
    {
        $pageURL = 'http';
        if ($_SERVER["HTTPS"] == "on")
        {
            $pageURL .= "s";
        }
        $pageURL .= "://";
        if ($_SERVER["SERVER_PORT"] != "80")
        {
            $pageURL .= $_SERVER["SERVER_NAME"].":".$_SERVER["SERVER_PORT"].$_SERVER["REQUEST_URI"];
        } 
        else
        {
            $pageURL .= $_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"];
        }
        return $pageURL;
    }

    $CurrentPage = pageURL();

    setcookie('linkback', $CurrentPage);

?>

<p><a href="http://www.google.com/">External Link</a></p>

What I want to do is using PHP add a prefix to all external links so that they have have the following structure:

loca开发者_如何转开发lhost/outgoing?url=http://www.google.com/

This loads up an outgoing page like so:

    <?php

    if(!isset($_GET['url']))
    {
        header('HTTP/1.0 404 Not Found');
    }

    ?>

<h1>Warning! Now leaving website</h1>

    <ul>
                <li><a title="Return to Website" href="<?php if(isset($_COOKIE['linkback'])) { echo $_COOKIE['linkback']; } else { echo 'http://localhost:8888/creathive/'; } ?>">Return to Website</a></li>
                <li><a title="Continue to <?php echo $_GET['url']; ?>" href="<?php echo $_GET['url']; ?>">Continue to <?php echo $_GET['url']; ?></a></li>
            </ul>

The idea is that using the cookie set in the previous page I can have a simple back button, and also grab the url from the query and allow the user to continue after being warned they are leaving the site.

The problems I have are:

1.) Prefixing external URLS so that they go to the outgoing page

2.) The isset on the top of the outgoing page is supposed to be throwing a 404 if a user visits the outgoing page without a url query string but isn't

3.) Need to make sure that URLS are valid so for example prevent this for happening: localhost/outgoing?url=moo

You will need to replace every external URL in your code according to the new scheme. There is no way doing this automaticalle for all outgoing links.

This is because, if the user clicks on an external URL, the request is not sent to your server, but the external one.

Edit: The only thing you could do is caching all your output with ob_start() and then replace all links using a regexp, before printing them on your page.

But the better solution would be to replace all links yourself.

Can you elaborate?
Isset isnt exactly the "right" tool. try arrya_key_exists('url', $_GET)…. Code like this should do ya.

    function haveUrl() {
            if (array_key_exists('url', $_GET)) {
            $url = $_GET['url'];
            if (!empty($url)) return true;
        }
        return false;
    }

You can simply check to see if they start with http:// or https://... This may be done best with a regex…. something like…

    function validUrl($url) {
        if (preg_match('\^(http:\/\/|https:\/\/)\mi', $url) {
            if (preg_match('\localhost\mi', $url) return false;
            else return trus;
        }
        return false;
    }

1) I would create a class for all links, and use something like $links->create("http://...") and there you place the redirection and everything you might need.

You could use the code in the following link: link text

1.) Prefixing external URLS so that they go to the outgoing page

You need a DOM tool for this. For instance SimpleXML or Simple HTML DOM parser or any of it's kind to manipulate the outgoing links on the page you are rendering. (Find more available options in this question.)

Optimally, you will cache the results of this operation as it can be quite expensive (read: slow) and update the cached version on update or after a defined period of time.

2.) The isset on the top of the outgoing page is supposed to be throwing a 404 if a user visits the outgoing page without a url query string but isn't

Yes it does, but you need to stop execution after this point if you don't want to render the rest of the page. A 404 error can - and should! - have a page body, it's a response like any other HTTP response.

3.) Need to make sure that URLS are valid so for example prevent this for happening: localhost/outgoing?url=moo

Even if you do so - and indeed you should, nothing will prevent anyone from accessing localhost/outgoing?url=foo by manual URL manipulation. Url parameters, or any other user input can never be trusted. In other words you need to check the outgoing url in the outgoing-script no matter what.

And don't forget to sanitize rigourously! Functionality such as this is screaming to be abused.