Comments on: Simple PHP redirection script with log http://www.goblog.com.au/2008/03/05/simple-php-redirection-script-with-log/ Thu, 28 Aug 2008 18:43:20 +0000 http://wordpress.org/?v=2.2.2 By: Andrew http://www.goblog.com.au/2008/03/05/simple-php-redirection-script-with-log/#comment-967 Andrew Thu, 06 Mar 2008 14:32:23 +0000 http://www.goblog.com.au/2008/03/05/simple-php-redirection-script-with-log/#comment-967 That's a much more elegant solution. I currently use the /redirect.php?id=100 method on other sites, (keyword-based actually, instead of numeric) but hadn't thought of your suggestion to simplify the painful problem of the list compilation. Thanks for your contribution, it's appreciated. That’s a much more elegant solution.

I currently use the /redirect.php?id=100 method on other sites, (keyword-based actually, instead of numeric) but hadn’t thought of your suggestion to simplify the painful problem of the list compilation.

Thanks for your contribution, it’s appreciated.

]]> By: Mark http://www.goblog.com.au/2008/03/05/simple-php-redirection-script-with-log/#comment-966 Mark Thu, 06 Mar 2008 14:22:33 +0000 http://www.goblog.com.au/2008/03/05/simple-php-redirection-script-with-log/#comment-966 Magic Quotes on should work for text fields but there are some vulnerabilities with database and file insertions I seem to recall. Also, I only mentioned it originally because yes, you may have magic quotes on, but if someone else reading this doesn't and then adds the code to their site then they might be opening themself up to attack. However, your code adjustment now should help. From a personal point of view I hate using redirection scripts in this manner, i.e. taking the URL as a parameter and redirecting there. My preferred method when I've used this in the past was to maintain a database of redirection links so that the redirection was of this form instead: /redirect.php?id=100 The benefit of this system is that it's easier to validate a number, you could, at a later date, alter all the redirection links site-wide if, for example, the place you're redirecting to changes their URL (has happened), and more importantly, it stops someone else bouncing off your page to someone they want to visit, faking the referrer to be your site. On the downside, who wants to maintain a list of links? Nobody. Which is why I implemented a helper piece of code. Effectively, in the PHP of your page you'd replace any link with a piece of code: from: visit <a href="somesite" rel="nofollow">this site</a> to: visit the helper function linkto() would check to see if "somesite" was already in the database. If so then it gets replaced with: <a href="/redirect.php?id=existing_id_number" rel="nofollow">this site<a> otherwise, "somesite" is added and <a href="/redirect.php?id=new_id_number" rel="nofollow">this site<a> is output to the page instead. It relied on you being able to add PHP to a page but it was in use on a number of websites a few years ago for tracking purposes. Magic Quotes on should work for text fields but there are some vulnerabilities with database and file insertions I seem to recall. Also, I only mentioned it originally because yes, you may have magic quotes on, but if someone else reading this doesn’t and then adds the code to their site then they might be opening themself up to attack. However, your code adjustment now should help.

From a personal point of view I hate using redirection scripts in this manner, i.e. taking the URL as a parameter and redirecting there. My preferred method when I’ve used this in the past was to maintain a database of redirection links so that the redirection was of this form instead:

/redirect.php?id=100

The benefit of this system is that it’s easier to validate a number, you could, at a later date, alter all the redirection links site-wide if, for example, the place you’re redirecting to changes their URL (has happened), and more importantly, it stops someone else bouncing off your page to someone they want to visit, faking the referrer to be your site.

On the downside, who wants to maintain a list of links? Nobody. Which is why I implemented a helper piece of code. Effectively, in the PHP of your page you’d replace any link with a piece of code:

from: visit this site
to: visit

the helper function linkto() would check to see if “somesite” was already in the database. If so then it gets replaced with:

this site

otherwise, “somesite” is added and

this site

is output to the page instead.

It relied on you being able to add PHP to a page but it was in use on a number of websites a few years ago for tracking purposes.

]]> By: Andrew http://www.goblog.com.au/2008/03/05/simple-php-redirection-script-with-log/#comment-963 Andrew Thu, 06 Mar 2008 13:02:43 +0000 http://www.goblog.com.au/2008/03/05/simple-php-redirection-script-with-log/#comment-963 And that's why I should stick to doing frontend design ;-). But correct me if I'm wrong, having Magic Quotes on in your PHP server settings should prevent SQL injection anyway? I've added a conditional statement to check, and if it's not on, do some cleaning now anyway. And that’s why I should stick to doing frontend design ;-).

But correct me if I’m wrong, having Magic Quotes on in your PHP server settings should prevent SQL injection anyway? I’ve added a conditional statement to check, and if it’s not on, do some cleaning now anyway.

]]> By: Mark http://www.goblog.com.au/2008/03/05/simple-php-redirection-script-with-log/#comment-961 Mark Thu, 06 Mar 2008 11:07:32 +0000 http://www.goblog.com.au/2008/03/05/simple-php-redirection-script-with-log/#comment-961 That code is vulnerable to SQL injection. You should clean up the $toURL before simply placing it in the SQL command. That code is vulnerable to SQL injection. You should clean up the $toURL before simply placing it in the SQL command.

]]>