I have a multilingual website, the change language functionality works like this:
change_lang.php?lang=en&return=www.example.com/pages/etc
in change_lang.php I read the $_GET['return'] and $return_addr = $_GET['return'] then use header("location:" . $return_addr) to send the user back to the place he was, now Imagine someone wants to pollute the return address:
change_lang.php?lang=en&return=www.HACKER-SITE.com/virus.exe
For preventing this, I want to limit the $return_addr value to only local machine(server), my code is:
<?php
if(substr(BASE_URL, 0, 8) == 'https://'){
$start_len = 8;
$return_http = 'https://';
} else{
$start_len = 7;
$return_http = 'http://';
}
$http_extracted_base_url = substr(BASE_URL, $start_len);
if(substr($http_extracted_base_url, 0, 10) == substr($return, 0, 10)){
// OK
}else{
// NOT OK
exit();
}
?>
BASE_URL is a defined value of my domain, like http://example.com, the above code works well when the user is not using “www” in his address, but when he does, I need to check another thing on my code, all of this must have a better solution, and that’s my question; how I’m supposed to check if the return URL is going back to the site itself, I don’t want to check https r www, or also we may want to have another domain in future parked on our site, so some users may use the second address and the above code fails since BASE_URL is defined as the first domain.
P.S: I don’t want to PING the domain of return address, execution functions are disabled on the server.
I’d suggest using
$_SERVER['HTTP_REFERER']or your definedBASE_URLI will add that while this could be manipulated (so I’m told) surely the only person it would affect is the user that manipulated that header, as they are being redirected?