url or content as a variable in the header of the page

Question

I am designing a site where external links form various are being shown on my page. I am using

$url=$_GET['url'];
$website_data = file_get_contents($url);
echo $website_data;

so essentially a user would click on a hyperlink which is something like www.test.com/display_page.php?url=http://www.xyz.com/article/2.jpg

My page, list_of_images.php, typically has a list of images with href for each image as above on the page and when any image is clicked it would go to display_page.php, which would show our banner on the top of this page, some text and then this image beneath that. This image could be from any website.

I am currently sending the url directly and grabbing it using GET. I understand that users/hackers can actually do some coding and send commands for the url variable and could break the server or do something harmful and so i would like to avoid this method or sending the url directly in the header. what is the alternate approach for this problem?

Answer 1

Try POST....

Try doing this using POST method

Answer 2

I would make sure the url starts with http:// or https://:

if(preg_match("`^https?://`i", $_GET['url']))
// do stuff

You may also want to make sure it isn't pointing anywhere internal:

if(preg_match('`^https?://(?!localhost|127\.|192\.|10\.0\.)`i', $_GET['url']))
// do stuff

Rather than a big dirty regex, you could go for a more elegant host black-list approach, but you get my drift...

Answer 3

The safe approach is to use a fixed set of resources stored in either an array or a database, and the appropriate key as a parameter.

$ress = Array('1' => 'http://www.google.com/', ...);

$res = $ress[$_GET['res']];