Reading source code and extracting json from a url












0












$begingroup$


I made a code to read the source code from a url, to reach this url i need to specify a token, after read the source code i extract a url in json format, and i redirect my domain to this url. It's not relevant to what i'm asking, but want explain what i'm doing...



As you can see, on my domain http://localhost/test i have a query string called token that is used to read the souce code of a different domain, after this i redirect to a page.



I defined the domain which i will read the source code but i don't know if someone could pass a value to the $_GET['token'] in a way that this will go to a different domain, i'm reading the source code from a url and using the result on my website, so i don't know if someone could do some kind of attack to my server. I'm not sure how these kind of attacks works, and i felt that i should ask someone that has more knowledge than I.



What do you think about my code?



php:



 //i use this condition to make sure that nobody can access the url directly,
//and later make sure that the request is from my domain
if(!empty($_SERVER['HTTP_REFERER'])){
//if $_GET is empty then $.. is = NULL, else $.. is = $_GET
$source = (empty($_GET['source']) ? NULL : $_GET['source']);
$token = (empty($_GET['token']) ? NULL : $_GET['token']);

if(!empty($source) && !empty($token)){
if($source == 'player'){
//check if the request is from the same domain
if(preg_match('/^http://localhost/test/', $_SERVER['HTTP_REFERER'])){
//inside this if() i read the source
//code from this url bellow
$urlPost = 'https://www.player.com/?token='.$token;
$url = file_get_contents($urlPost);
preg_match('/CONFIG = (.*)/', $url, $matches);

$jsn = json_decode($matches[1]);
$streams = $jsn->streams;

foreach($streams as $i){
//this variable will be used to redirect the src
//iframe to a url that contains a video
$vdUrl = $i->url;
}
//redirect to the url that i got from the source code
die(header('location:'.$vdUrl));
}else{
//if the request is not from the same domain then
//redirect to 404 Not Found
die(header('HTTP/1.1 404 Not Found'));
}
}else{
die(header('HTTP/1.1 404 Not Found'));
}
}

}


html:



<iframe src="http://localhost/test/?source=player&token=145215d1ww"></iframe>








share









$endgroup$

















    0












    $begingroup$


    I made a code to read the source code from a url, to reach this url i need to specify a token, after read the source code i extract a url in json format, and i redirect my domain to this url. It's not relevant to what i'm asking, but want explain what i'm doing...



    As you can see, on my domain http://localhost/test i have a query string called token that is used to read the souce code of a different domain, after this i redirect to a page.



    I defined the domain which i will read the source code but i don't know if someone could pass a value to the $_GET['token'] in a way that this will go to a different domain, i'm reading the source code from a url and using the result on my website, so i don't know if someone could do some kind of attack to my server. I'm not sure how these kind of attacks works, and i felt that i should ask someone that has more knowledge than I.



    What do you think about my code?



    php:



     //i use this condition to make sure that nobody can access the url directly,
    //and later make sure that the request is from my domain
    if(!empty($_SERVER['HTTP_REFERER'])){
    //if $_GET is empty then $.. is = NULL, else $.. is = $_GET
    $source = (empty($_GET['source']) ? NULL : $_GET['source']);
    $token = (empty($_GET['token']) ? NULL : $_GET['token']);

    if(!empty($source) && !empty($token)){
    if($source == 'player'){
    //check if the request is from the same domain
    if(preg_match('/^http://localhost/test/', $_SERVER['HTTP_REFERER'])){
    //inside this if() i read the source
    //code from this url bellow
    $urlPost = 'https://www.player.com/?token='.$token;
    $url = file_get_contents($urlPost);
    preg_match('/CONFIG = (.*)/', $url, $matches);

    $jsn = json_decode($matches[1]);
    $streams = $jsn->streams;

    foreach($streams as $i){
    //this variable will be used to redirect the src
    //iframe to a url that contains a video
    $vdUrl = $i->url;
    }
    //redirect to the url that i got from the source code
    die(header('location:'.$vdUrl));
    }else{
    //if the request is not from the same domain then
    //redirect to 404 Not Found
    die(header('HTTP/1.1 404 Not Found'));
    }
    }else{
    die(header('HTTP/1.1 404 Not Found'));
    }
    }

    }


    html:



    <iframe src="http://localhost/test/?source=player&token=145215d1ww"></iframe>








    share









    $endgroup$















      0












      0








      0





      $begingroup$


      I made a code to read the source code from a url, to reach this url i need to specify a token, after read the source code i extract a url in json format, and i redirect my domain to this url. It's not relevant to what i'm asking, but want explain what i'm doing...



      As you can see, on my domain http://localhost/test i have a query string called token that is used to read the souce code of a different domain, after this i redirect to a page.



      I defined the domain which i will read the source code but i don't know if someone could pass a value to the $_GET['token'] in a way that this will go to a different domain, i'm reading the source code from a url and using the result on my website, so i don't know if someone could do some kind of attack to my server. I'm not sure how these kind of attacks works, and i felt that i should ask someone that has more knowledge than I.



      What do you think about my code?



      php:



       //i use this condition to make sure that nobody can access the url directly,
      //and later make sure that the request is from my domain
      if(!empty($_SERVER['HTTP_REFERER'])){
      //if $_GET is empty then $.. is = NULL, else $.. is = $_GET
      $source = (empty($_GET['source']) ? NULL : $_GET['source']);
      $token = (empty($_GET['token']) ? NULL : $_GET['token']);

      if(!empty($source) && !empty($token)){
      if($source == 'player'){
      //check if the request is from the same domain
      if(preg_match('/^http://localhost/test/', $_SERVER['HTTP_REFERER'])){
      //inside this if() i read the source
      //code from this url bellow
      $urlPost = 'https://www.player.com/?token='.$token;
      $url = file_get_contents($urlPost);
      preg_match('/CONFIG = (.*)/', $url, $matches);

      $jsn = json_decode($matches[1]);
      $streams = $jsn->streams;

      foreach($streams as $i){
      //this variable will be used to redirect the src
      //iframe to a url that contains a video
      $vdUrl = $i->url;
      }
      //redirect to the url that i got from the source code
      die(header('location:'.$vdUrl));
      }else{
      //if the request is not from the same domain then
      //redirect to 404 Not Found
      die(header('HTTP/1.1 404 Not Found'));
      }
      }else{
      die(header('HTTP/1.1 404 Not Found'));
      }
      }

      }


      html:



      <iframe src="http://localhost/test/?source=player&token=145215d1ww"></iframe>








      share









      $endgroup$




      I made a code to read the source code from a url, to reach this url i need to specify a token, after read the source code i extract a url in json format, and i redirect my domain to this url. It's not relevant to what i'm asking, but want explain what i'm doing...



      As you can see, on my domain http://localhost/test i have a query string called token that is used to read the souce code of a different domain, after this i redirect to a page.



      I defined the domain which i will read the source code but i don't know if someone could pass a value to the $_GET['token'] in a way that this will go to a different domain, i'm reading the source code from a url and using the result on my website, so i don't know if someone could do some kind of attack to my server. I'm not sure how these kind of attacks works, and i felt that i should ask someone that has more knowledge than I.



      What do you think about my code?



      php:



       //i use this condition to make sure that nobody can access the url directly,
      //and later make sure that the request is from my domain
      if(!empty($_SERVER['HTTP_REFERER'])){
      //if $_GET is empty then $.. is = NULL, else $.. is = $_GET
      $source = (empty($_GET['source']) ? NULL : $_GET['source']);
      $token = (empty($_GET['token']) ? NULL : $_GET['token']);

      if(!empty($source) && !empty($token)){
      if($source == 'player'){
      //check if the request is from the same domain
      if(preg_match('/^http://localhost/test/', $_SERVER['HTTP_REFERER'])){
      //inside this if() i read the source
      //code from this url bellow
      $urlPost = 'https://www.player.com/?token='.$token;
      $url = file_get_contents($urlPost);
      preg_match('/CONFIG = (.*)/', $url, $matches);

      $jsn = json_decode($matches[1]);
      $streams = $jsn->streams;

      foreach($streams as $i){
      //this variable will be used to redirect the src
      //iframe to a url that contains a video
      $vdUrl = $i->url;
      }
      //redirect to the url that i got from the source code
      die(header('location:'.$vdUrl));
      }else{
      //if the request is not from the same domain then
      //redirect to 404 Not Found
      die(header('HTTP/1.1 404 Not Found'));
      }
      }else{
      die(header('HTTP/1.1 404 Not Found'));
      }
      }

      }


      html:



      <iframe src="http://localhost/test/?source=player&token=145215d1ww"></iframe>






      php





      share












      share










      share



      share










      asked 7 mins ago









      111111111111111111111111

      205




      205






















          0






          active

          oldest

          votes











          Your Answer





          StackExchange.ifUsing("editor", function () {
          return StackExchange.using("mathjaxEditing", function () {
          StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
          StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["\$", "\$"]]);
          });
          });
          }, "mathjax-editing");

          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "196"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f213936%2freading-source-code-and-extracting-json-from-a-url%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          0






          active

          oldest

          votes








          0






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes
















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Code Review Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          Use MathJax to format equations. MathJax reference.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f213936%2freading-source-code-and-extracting-json-from-a-url%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          How to make a Squid Proxy server?

          Is this a new Fibonacci Identity?

          19世紀