protect go from going to sites other than ones we know about in the pod table

c55772b4 · David Morley · 7f562d51 · c55772b4
Unverified Commit c55772b4 authored Dec 23, 2016 by David Morley
Hide whitespace changes
Inline Side-by-side

Showing with 17 additions and 7 deletions

go.php go.php +17 -7

No files found.
--- a/go.php
+++ b/go.php
@@ -7,12 +7,22 @@ $dbh || die('Error in connection: ' . pg_last_error());
 $url = $_GET['url'];

 if ($url) {
-header('Location:' .$url);
+  $host = parse_url($url, PHP_URL_HOST);
+  $sql    = "SELECT domain FROM pods WHERE domain LIKE '$host'";
+  $result = pg_query($dbh, $sql);
+  $result || die('Error in SQL query: ' . pg_last_error());
+  $row = pg_fetch_all($result);
+  if ($row) {
+    //Add click counter +1 for $row[0]['domain'] clicks in future, seperate click table
+    header('Location:' .$url);
+  } else {
+    die('unknown url');
+  }
 } else {
-$sql    = "SELECT secure,domain FROM pods WHERE score > 90 AND masterversion = shortversion AND signup = 1 ORDER BY RANDOM() LIMIT 1";
-$result = pg_query($dbh, $sql);
-$result || die('Error in SQL query: ' . pg_last_error());
-$row = pg_fetch_all($result);
-$scheme = $row[0]['secure'] === 'true' ? 'https://' : 'http://';
-header('Location:' . $scheme . $row[0]['domain'] . '/users/sign_up');
+  $sql    = "SELECT secure,domain FROM pods WHERE score > 90 AND masterversion = shortversion AND signup = 1 ORDER BY RANDOM() LIMIT 1";
+  $result = pg_query($dbh, $sql);
+  $result || die('Error in SQL query: ' . pg_last_error());
+  $row = pg_fetch_all($result);
+  $scheme = $row[0]['secure'] === 'true' ? 'https://' : 'http://';
+  header('Location:' . $scheme . $row[0]['domain'] . '/users/sign_up');
 }