Page 1 of 1
URL not being captured right for my query.....
Posted: Fri Nov 29, 2013 3:38 am
by simonmlewis
Code: Select all
$url = $_GET['url'];
if ($url == "http://www.site.co.uk")
{
echo "<meta http-equiv='Refresh' content='0 ;URL=$url;'>";
}
else
{
$newstring = substr_replace($url, 'www', 7, 1);
echo "<meta http-equiv='Refresh' content='0 ;URL=$newstring'>";
}
This is for mobile subdomain use. The person goes to the homepage on their mobile. Takes them to a page for Mobile or Normal.
They click normal and it takes them here.
Since the URL they were at is
http://www.site.co.uk then the top query should run and take them back to the homepage of the normal site.
Else, it should take them to the second query, which changes the URL, and replaces the m (
http://m.site.co.uk) with the 'www'.
If I echo $url on the page, it shows
http://www.site.co.uk, but the query still opts for the second "else" option each time. I cannot see why.
This is the full code:
Code: Select all
if(isset($cookiesite))
{
$url = $_GET['url'];
if ($cookiesite == "mobile")
{
$newstring = substr_replace($url, 'm', 7, 3);
echo "<meta http-equiv='Refresh' content='50 ;URL=$newstring'>";
}
if ($cookiesite == "normal")
{
echo "$url<br/>";
if ($url == "http://www.site.co.uk") { $point = "normalhome";}
if ($point == "normalhome")
{
echo "One moment - redirecting to $url<br/>";
echo "<meta http-equiv='Refresh' content='5 ;URL=http://www.site.co.uk'>";
}
else
{
$newstring = substr_replace($url, 'www', 7, 1);
echo "One moment - redirecting to $newstring";
echo "<meta http-equiv='Refresh' content='5 ;URL=$newstring'>";
}
}
}
Even tho "pointhome" is "
http://www.site.co.uk", it's still using the $newstring" version, which is incorrect. Why is it using that?
Re: URL not being captured right for my query.....
Posted: Fri Nov 29, 2013 4:43 am
by simonmlewis
I fixed it. Missing / at the end of my query.
Re: URL not being captured right for my query.....
Posted: Fri Nov 29, 2013 11:11 am
by Christopher
That code looks pretty hackable -- especially since you do not filter/validate $_GET['site']. I would recommend not modifying the domain name, but instead use either "
www.site.co.uk" or "m.site.co.uk" as hardcoded domains so no other domain can be injected.
Re: URL not being captured right for my query.....
Posted: Fri Nov 29, 2013 11:14 am
by simonmlewis
Normally the domain is entirely different. Not just the 'domain' part.
Re: URL not being captured right for my query.....
Posted: Fri Nov 29, 2013 11:38 am
by Eric!
That code is insecure and vulnerable to XSS.
Sanitize all user variables before using them (see filter_var)
Verify them (filter_var)
and before echoing them, disable injection by encoding them: htmlentities($url, ENT_QUOTES, "UTF-8")
And why are you still using meta refresh tags to redirect?
Re: URL not being captured right for my query.....
Posted: Fri Nov 29, 2013 11:58 am
by simonmlewis
Awful thing to admit to but I don't use those!
I use the Escape method. How do I use htmlentities and should I use one for each variable?
I have built in PDO, and got others on back burner for rebuilds, but thus ought to be part of that.
Re: URL not being captured right for my query.....
Posted: Fri Nov 29, 2013 12:11 pm
by Eric!
Someone can easily inject a javascript attack into your line
Code: Select all
echo "One moment - redirecting to $url<br/>";
They could do things like make a link that would inject porn images or something embarrassing on your site to stealing the users cookie data.
Changing this to
Code: Select all
echo "One moment - redirecting to ".htmlentities($url, ENT_QUOTES, "UTF-8")."<br/>";
Will at least stop that. But there are other games hackers can play with your $url because you are just redirecting to a raw string that could contain anything. And why are you using the meta refreshes?
Re: URL not being captured right for my query.....
Posted: Fri Nov 29, 2013 12:15 pm
by simonmlewis
To be fair to myself, I don't nice use "you are being directed to". That was for testing.
Why not? Is the other option to replace the page better?
Re: URL not being captured right for my query.....
Posted: Fri Nov 29, 2013 4:31 pm
by Eric!
You're using raw user input and assuming it's valid. They could also attack your meta refresh tags just as easily as your echo statement and do the same damage--easy peasy. Always filter/sanitize your user input!
Use the same header method to take them to the correct page as we discussed in the other thread. That way you won't have problems with some browsers ignoring your meta refresh.