1

I have a simple function for checking the web site title:

$doc = new DOMDocument();
@$doc->loadHTMLFile($aUrl);
$xpath = new DOMXPath($doc);     

if(!isset($xpath->query('//title')->item(0)->nodeValue)) 
{             
     return FALSE;
}                              

return $xpath->query('//title')->item(0)->nodeValue;

But if the user pass the localhost or 127.0.0.1, they can get my host data, I can make a simple guide to allow user input these value, but sometimes, I can't ensure the internal ip, like 192.168.11.2, how can I protect the site won't query back my host? Thank you.

Tattat
  • 15,548
  • 33
  • 87
  • 138

2 Answers2

0

add this line to begining

if( preg_match( "/^(http:\/\/)(localhost|127.0.0.1|{$_SERVER["SERVER_ADDR"]}|{$_SERVER["HTTP_HOST"]}|www.yourhost.net)/i", $aUrl )) die( 'error' );

it may help

SergeS
  • 11,533
  • 3
  • 29
  • 35
  • but they still get access me via 192.168.11.2 :( – Tattat Aug 12 '11 at 13:27
  • $_SERVER["SERVER_ADDR"] contains 192.168.11.2 ( or your actual server address ), see http://php.net/manual/en/reserved.variables.server.php – SergeS Aug 12 '11 at 13:30
  • I get the result is 127.0.0.1 instead of 192.168.11.2. But I can get access from 192.168.11.2 :( – Tattat Aug 12 '11 at 13:34
  • see this for getting correct IP - http://stackoverflow.com/questions/3202872/php-serverserver-addr-variable-always-returns-127-0-0-1 but i think, correct apache setup will fix it - this dependes on what you have in bind address – SergeS Aug 12 '11 at 13:40
-1

127.0.0.1 or localhost for the external user will be their own computer / host set a condition, where you check the hostname is not $_SERVER['SERVER_ADDR'] or $_SERVER['SERVER_NAME']

Kasia Gogolek
  • 3,374
  • 4
  • 33
  • 50