HiveBrain v1.2.0
Get Started
← Back to all entries
patternphpModerate

PHP URL Shortener

Submitted by: @import:stackexchange-codereview··
0
Viewed 0 times
codereviewsqlphpstackoverflowmysqlhtmlurl
phpurlshortener

Problem

I just developed a URL shortener.

index.php:


    
        gus URL Shortener
    
    
        Type the link to be shortened:


The form redirects to short.php where the link is generated:


    
    
        gus URL Shortener
    
    
        Your Link:
        gus.netii.net/?l=$hash";?>


Sorry it's not commented but I think it's pretty straightforward.
I've been thinking how could I do it so the link doesn't have the "?l=..." like other shorteners have.

UPDATE

Now gus.netii.net is up and running safely, like @CodeX suggested, also without the "?l=" thing after the url to GET with php ! Thanks to all and share it please.

Solution

Ok, so the main problem with your code is that it is vulnerable to SQL injection you can fix that by using prepared statements - http://php.net/manual/en/mysqli.quickstart.prepared-statements.php

If you want to remove the ?l= you can look into Mod Rewrite - http://www.sitepoint.com/guide-url-rewriting/ and have the URL generate as gus.netii.net/$hash

I took the MySQLi Code straight from PHP.net to use in this example

index.php

$sql_host = "";
$sql_db = "";
$sql_user = "";
$sql_pass = "";

$mysqli = new mysqli($sql_host, $sql_user, $sql_pass, $sql_db);
if ($mysqli->connect_errno) {
    echo "Failed to connect to MySQL: (" . $mysqli->connect_errno . ") " . $mysqli->connect_error;
}

if(isset($_GET['l'])) {
    $hash = htmlspecialchars($_GET["l"]);
}

if (!empty($hash)) {
    if (!($stmt = $mysqli->prepare("SELECT link FROM links WHERE hash = ?"))) {
            echo "Prepare failed: (" . $mysqli->errno . ") " . $mysqli->error;
    }

    if (!$stmt->bind_param("s", $hash)) {
        echo "Binding parameters failed: (" . $stmt->errno . ") " . $stmt->error;
    }

    if (!$stmt->execute()) {
        echo "Execute failed: (" . $stmt->errno . ") " . $stmt->error;
    }

    if ($stmt->execute()) {
        $stmt->bind_result($url);
        $stmt->fetch();
        header("Location: $url");
    } else {
        echo "link not available";
    }
}


short.php

$sql_host = "";
$sql_db = "";
$sql_user = "";
$sql_pass = "";

$mysqli = new mysqli($sql_host, $sql_user, $sql_pass, $sql_db);
if ($mysqli->connect_errno) {
    echo "Failed to connect to MySQL: (" . $mysqli->connect_errno . ") " . $mysqli->connect_error;
}

$url = $_POST["url"];
$hash = hash("crc32", "$url");

if (!empty($url)) {
    if ((substr($url, 0, 7) == "http://") or (substr($url, 0, 8) == "https://")) {
        if (!($stmt = $mysqli->prepare("INSERT INTO links(hash, link) VALUES (?,?)"))) {
            echo "Prepare failed: (" . $mysqli->errno . ") " . $mysqli->error;
        }
        if (!$stmt->bind_param("ss", $hash, $url)) {
            echo "Binding parameters failed: (" . $stmt->errno . ") " . $stmt->error;
        }
        if (!$stmt->execute()) {
            echo "Execute failed: (" . $stmt->errno . ") " . $stmt->error;
        }
        echo "gus.netii.net/?l=".$hash."";
    } 
    else {
        echo "Your link needs to start with http:// or https://";
    }
}

Code Snippets

$sql_host = "";
$sql_db = "";
$sql_user = "";
$sql_pass = "";

$mysqli = new mysqli($sql_host, $sql_user, $sql_pass, $sql_db);
if ($mysqli->connect_errno) {
    echo "Failed to connect to MySQL: (" . $mysqli->connect_errno . ") " . $mysqli->connect_error;
}

if(isset($_GET['l'])) {
    $hash = htmlspecialchars($_GET["l"]);
}

if (!empty($hash)) {
    if (!($stmt = $mysqli->prepare("SELECT link FROM links WHERE hash = ?"))) {
            echo "Prepare failed: (" . $mysqli->errno . ") " . $mysqli->error;
    }

    if (!$stmt->bind_param("s", $hash)) {
        echo "Binding parameters failed: (" . $stmt->errno . ") " . $stmt->error;
    }

    if (!$stmt->execute()) {
        echo "Execute failed: (" . $stmt->errno . ") " . $stmt->error;
    }

    if ($stmt->execute()) {
        $stmt->bind_result($url);
        $stmt->fetch();
        header("Location: $url");
    } else {
        echo "link not available";
    }
}
$sql_host = "";
$sql_db = "";
$sql_user = "";
$sql_pass = "";

$mysqli = new mysqli($sql_host, $sql_user, $sql_pass, $sql_db);
if ($mysqli->connect_errno) {
    echo "Failed to connect to MySQL: (" . $mysqli->connect_errno . ") " . $mysqli->connect_error;
}

$url = $_POST["url"];
$hash = hash("crc32", "$url");

if (!empty($url)) {
    if ((substr($url, 0, 7) == "http://") or (substr($url, 0, 8) == "https://")) {
        if (!($stmt = $mysqli->prepare("INSERT INTO links(hash, link) VALUES (?,?)"))) {
            echo "Prepare failed: (" . $mysqli->errno . ") " . $mysqli->error;
        }
        if (!$stmt->bind_param("ss", $hash, $url)) {
            echo "Binding parameters failed: (" . $stmt->errno . ") " . $stmt->error;
        }
        if (!$stmt->execute()) {
            echo "Execute failed: (" . $stmt->errno . ") " . $stmt->error;
        }
        echo "<a href='http://gus.netii.net/?l=".$hash."'>gus.netii.net/?l=".$hash."</a>";
    } 
    else {
        echo "Your link needs to start with http:// or https://";
    }
}

Context

StackExchange Code Review Q#57580, answer score: 11

Revisions (0)

No revisions yet.