I have a URL shortner script which works fine until I submit a link containing "http://", which gives me a 403 error. I'm new to PHP so you're going to have to go easy on me. My site is http://newurl.us
First I tried using str_replace() to stop people from submitting it.
<input id="url" type="text" name="url" value="<?php echo htmlentities(str_replace("http://","",@$_GET['url'])) ?>" />
I also tried the same with "http%3A%2F%2F" instead of "http://" which didn't work.
Now I'm looking over the script to make it all happen, but I can't find the problem (possibly due to my noobinss). Is there something in the code preventing people from entering http:// ?
<?php
define('PHURL', true);
ini_set('display_errors', 0);
$prefix[0] = '';
?>
<?php
require_once("config.php");
require_once("functions.php");
db_connect();
if (count($_GET) > 0) {
$url = mysql_real_escape_string(trim($_GET['url']));
$alias = mysql_real_escape_string(trim($_GET['alias']));
if (!preg_match("/^(".URL_PROTOCOLS.")\:\/\//i", $url)) {
$prefix = explode(":", $url);
if ($prefix[0] == 'mailto') {
$url = $url;
} else {
$url = "http://".$url;
}
}
$last = $url[strlen($url) - 1];
if ($last == "/") {
$url = substr($url, 0, -1);
}
$data = @parse_url($url);
if ($prefix[0] == 'mailto') {
$data['scheme'] = 'mailto';
$data['host'] = 'none';
}
if (strlen($url) == 0) {
$_ERROR[] = "Please enter a URL to shorten.";
}
else if (empty($data['scheme']) || empty($data['host'])) {
$_ERROR[] = "Please enter a valid URL to shorten.";
}
else {
$hostname = get_hostname();
$domain = get_domain();
if (preg_match("/($hostname)/i", $data['host'])) {
$_ERROR[] = "The URL you have entered is not allowed.";
}
}
if (strlen($alias) > 0) {
if (!preg_match("/^[a-zA-Z0-9_-]+$/", $alias)) {
$_ERROR[] = "Custom aliases may only contain letters, numbers, underscores and dashes.";
}
else if (code_exists($alias) || alias_exists($alias)) {
$_ERROR[] = "The custom alias you entered already exists.";
}
}
if (count($_ERROR) == 0) {
$create = true;
if (($url_data = url_exists($url))) {
$create = false;
$id = $url_data[0];
$code = $url_data[1];
$old_alias = $url_data[2];
if (strlen($alias) > 0) {
if ($old_alias != $alias) {
$create = true;
}
}
}
if ($create) {
do {
$code = generate_code(get_last_number());
if (!increase_last_number()) {
die("System error!");
}
if (code_exists($code) || alias_exists($code)) {
continue;
}
break;
} while (1);
$id = insert_url($url, $code, $alias);
}
if (strlen($alias) > 0) {
$code = $alias;
}
$short_url = SITE_URL."/".$code;
$_GET['url'] = "";
$_GET['alias'] = "";
require_once("html/header.php");
require_once("html/index_form.php");
require_once("html/index_done.php");
require_once("html/footer.php");
exit();
}
}
require_once("html/header.php");
require_once("html/index_form.php");
require_once("html/footer.php");