0

how can i control on submitted Urls if the link is to an image file? and also how can i sanitize any kind of hack attack by that url?

i'm using Codeigniter maybe some good library to control submitted urls ?

El Barto
  • 919
  • 1
  • 5
  • 18
itsme
  • 48,972
  • 96
  • 224
  • 345
  • 3
    what do you mean by "control on submitted Urls"? that doesn't mean anything to me. – Ben Lee Mar 12 '12 at 23:43
  • 1
    What have you tried so far? What's precise nature of your development problem? – Wh1T3h4Ck5 Mar 12 '12 at 23:45
  • @Wh1T3h4Ck5 nothing tryed yet, still searching for a php function or codeigniter function – itsme Mar 12 '12 at 23:47
  • @BenLee user submit his personal site logo url by form.. for example ... how can i be secure (almost secure) the link is not broken or the link is NOT to an img or the link is to a script etc etc.. ? – itsme Mar 12 '12 at 23:48
  • i looked at CI trackback library but i don't think is what i need – itsme Mar 12 '12 at 23:49
  • 2
    You can use [cURL](http://us.php.net/curl) to open the URL and see what's there. If you have an HTTP error, there's some problem with the URL (is not valid, etc.). If you can get what's there, you can check for the mime-type of the response to see what kind of file it is. – El Barto Mar 12 '12 at 23:50
  • nice cURL, and what about file_exist() by PHP ? – itsme Mar 12 '12 at 23:51
  • 2
    There's no such a function in any language to "sanitize **any kind** of hack attacks"... to validate url you can find plenty of info here... such as [what is the best way to check if a Url exists in PHP ?](http://stackoverflow.com/questions/4437223/what-is-the-best-way-to-check-if-a-url-exists-in-php) or [best way to determine if a URL is an image in PHP](http://stackoverflow.com/questions/676949/best-way-to-determine-if-a-url-is-an-image-in-php), etc. – Wh1T3h4Ck5 Mar 12 '12 at 23:54
  • 1
    @Ispuk `file_exists()` can only check for files on the server. – Kemal Fadillah Mar 12 '12 at 23:54
  • @Wh1T3h4Ck5 really thanks just need i to check also meta data or myme-type from an url? i'm watching at the code http://stackoverflow.com/questions/676949/best-way-to-determine-if-a-url-is-an-image-in-php – itsme Mar 12 '12 at 23:57
  • It depends on what you're doing *with* the URL... Are you putting the string in a `src` attribute or what? – Wesley Murch Mar 13 '12 at 01:06

1 Answers1

1

Why not let apache (or nginx, etc.) serve your static files for you?

If you serve them through php--CodeIgniter or not--you open yourself up to a much greater opportunity for hacks.

Additionally, you'll probably run a minimum of 3MB of memory per request through CI, whereas a static file server will usually run at the file's size or less.

I could keep going. In fact, I will. CI has issues with seemingly random session expiration when serving resources (i.e. images, AJAX, etc.)

Are you still reading this? Serve your static files through apache.

UPDATE:

I assumed by your "submitted URL" language that it was the URI in question. Now it seems to be a question about validating user submitted input data. If it's a URL, I assume it's an image on a remote server. For this case, you'll need to use cURL (or another http wrapper) to download headers for that URL. If the Content-Type header is present, you can use that to determine whether the file is an image.

landons
  • 9,502
  • 3
  • 33
  • 46
  • Any citation or reference for this statement?: `"CI has issues with seemingly random session expiration when serving resources (i.e. images, AJAX, etc.)"` I'm not doubting you, just want to know if this is fact or fiction. In addition, I believe the OP is talking about checking if user submitted *URLs* lead to an image, not about serving the images. – Wesley Murch Mar 13 '12 at 01:02
  • Here's a forum post that goes into more detail: http://codeigniter.com/forums/viewthread/172415/. I understand the OP's concern with the URLs, but how would you "know" about the URL in CI without proxying the request through PHP? – landons Mar 13 '12 at 05:25
  • Gotcha, 40+ extra image requests routed through CI (just to get the image path from the db, ugh) was causing that guy problems, but it's not really a documented bug. I must say, I've never had that issue. Anyways, is `getimagesize` not an appropriate, simple tool for this? – Wesley Murch Mar 13 '12 at 05:44
  • If it's a local file, yes. It seems I completely missed the point of the question (I'm blaming vague wording :P), and now I assume it's a remote file. My answer, as well as `getimagesize` seem worthless here... – landons Mar 13 '12 at 09:27
  • And, by the way, I was "that guy." 3 years ago anyway ;). Random session expiration in CI is more common than you might think. Google it... – landons Mar 13 '12 at 09:29
  • Ah missed that, no offense. All I found was a couple posts, [one by you](http://stackoverflow.com/questions/6856960/codeigniter-session-expires-frequently), [this one](http://stackoverflow.com/questions/5573639/codeigniter-session-disappear-bug) and a [closed bug report](https://github.com/EllisLab/CodeIgniter/issues/154) that was active 12 days ago with someone reporting the same issue. So I guess this is a legit issue, sorry to doubt - I've just never heard of it. I can't tell if it's fair to say "random" though, there must be a reason. – Wesley Murch Mar 13 '12 at 09:43
  • Haha, none taken. It's seemingly "random" because it has to happen at the exact time the session refreshes. It literally took months to figure out what was going on with my app. Regardless, it's completely off topic from the OP's view :P. – landons Mar 13 '12 at 09:48