1

尝试为安全数据库编写验证 php,所以我已经编码到这里

问题是这段代码验证了带有子域的链接

就像如果 

unsafeurl = http://remove.facebook.com/anything //it works (Shows Valid)

但这不起作用,如果

unsafeurl = http://facebook.com/anything //not works (Shows invalid because of $da in place of $do ... i have explode (.) here)

所以,我被困在最后一行要做的事情..请帮助我

<?php

      $url=$_POST['unsafeurl']; 

      $safeurl = "facebook";


      $front = explode("/", $url); 
      $host = $front[2]; 

      $domain = explode(".com", $front[2]); 
      $do = $domain[0];

      $domain = explode(".", $url); 
      $da = $domain[1];

      echo $da; 
      echo "<br />"; 

     if($da==$safeurl) {

       echo "valid";

    }
    else
    { 
        echo "invalid";        
    }

    ?>
4

2 回答 2

2

我会改变一些事情:

  $safeurl = "facebook.com";

  # Use parse_url to get host from URL
  $explode = explode(".", parse_url($url, PHP_URL_HOST));

  # Get last two elements of . explode
  $count = count($explode);
  $count = $count - 2;
  $da = $explode[$count];
  $count++;
  $da .= ".".$explode[$count];

对于anything.here.facebook.com,这应该返回$da为facebook.com

如果您想让它更高级,以便它可以处理多个 URL 和 .co.uk 等:

  $safeurl[] = "facebook.com";
  $safeurl[] = "google.co.uk";

  # Use parse_url to get host from URL
  $explode = explode(".", parse_url($url, PHP_URL_HOST));


  $valid = 0;
  foreach($safeurl as $checkurl) { 
    # Get number of elements in safeurl
    $safecount = count(explode(".", $checkurl));

    # Get last $safecount elements of . explode
    $count = count($explode);
    $count = $count - $safecount;
    $da = $explode[$count];
    $count++;
    while ($explode[$count]) {
     $da .= ".".$explode[$count];
     $count++;
    }
    if($da==$checkurl) {
      $valid = 1;
    }
  }
  if ($valid==1) { echo "Valid"; }

有人可以验证,但我相信这都是正确的。我很快就做到了。

于 2013-07-24T19:55:18.107 回答
1

您可能想研究 PHPparse_url()函数

虽然我不清楚你认为什么是“安全”的 URL(它必须有.comTLD?它必须是 facebook 域吗?),这很容易隔离 URL 的主机部分供你检查。false如果 URL 格式不正确,它也会简单地返回。

所以你可能会做类似的事情:

$url = $_POST['unsafeurl'];
$host = parse_url($url, PHP_URL_HOST);
if (false === $host) {
    // bad URL
} else {
    // get domain with TLD removed
    $domain_minus_tld = substr($host, 0, strpos($host, '.', -1));
}

如果您专门尝试验证这是一个 facebook URL,您可能会执行类似的操作

$url_is_facebook = false;
$url = $_POST['unsafeurl'];
$host = parse_url($url, PHP_URL_HOST);
if (false === $host) {
    // bad URL
} else {
    // see if this is facebook
    $pattern = '/^(www\.)?facebook\.com$/';
    if (preg_match($pattern, $host)) {
        $url_is_facebook = true;
    }
}
于 2013-07-24T19:45:22.273 回答