We help IT Professionals succeed at work.

how to tell link is safe and trusted

Ramy Mohsen
Ramy Mohsen asked
on
82 Views
Last Modified: 2015-07-28
I am developing a PHP web application through Yii2 framework that enable the user to enter any link and display it within iframe I need to know

    is it safe for the web application and user to use this feature (iframe) with his own link
    how to avoid risks
    if the user has entered a link how to tell this link is safe and trusted
thank,
Comment
Watch Question

Dave BaldwinFixer of Problems
CERTIFIED EXPERT
Most Valuable Expert 2014

Commented:
There isn't any way to tell.  If you display it in an iframe, your server code never sees that content because it gets loaded by the user's browser directly into the iframe.
The most excellent proposal I can offer is to browse smart. That means you have to twice check the URL of your,social networking site, and e-mail site before you log in. Its very safe for web application uses this aspect.

Author

Commented:
if the user has entered a link can I use a service to tell this link is safe and trusted  or not
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Most Valuable Expert 2011
Author of the Year 2014

Commented:
if the user has entered a link can I use a service to tell this link is safe and trusted  or not
No, you cannot.  Your strategy is risky and dangerous.  It should be avoided.  Here's why.

When you see the link, all you can know is the character string that makes up the URL.  You cannot know what is going to be loaded from that URL.  It can be "safe and trusted" one moment and "toxic and damaging" the next.  You have no control at all.  A client visit to the URL, which is caused by loading in the iframe or browser window, causes your browser to run JavaScript immediately and without warning.  What does the JavaScript contain?  You cannot know what the JavaScript will do to the client machine until the client runs the JavaScript code.

This is part of PHP Security.  There are well-documented standard practices that are necessary to keep users of your web site safe from one another.  You may also want to learn about OWASP and become involved.
Most Valuable Expert 2011
Author of the Year 2014

Commented:
Couple of thoughts about MyWOT.
https://safeweb.norton.com/reviews?url=mywot.com
https://www.facebook.com/Anti.W0T
http://www.sitejabber.com/reviews/www.mywot.com
I have no way to evaluate these claims, but "buyer beware."

Commented:
The only way to accomplish your objective is to use a third-party validation service.  I have used MyWOB for this and it meets my needs nicely.  Of course any popular service will have its haters, including this website!  I am not going to argue with Ray anymore about this, but I will say I have used the MyWOB API for three years with great results.

Here is a working prototype accomplishing the request made in your original post.  If you find that it blocks too many sites, you can lower the value of $sensitivity.
<?php

$sensitivity = 95;

if(empty($_POST['url'])) {

?>
<!DOCTYPE html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<title>Demo</title>
</head>
<body>

<h1>Hello</h1>

<form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"], ENT_QUOTES, "utf-8"); ?>" method="post" target="f">
 URL: <input type="text" name="url" />
 <input type="submit" />
</form>

<div>
 <iframe width="80%" height="200" name="f"></iframe>
</div>

</body>
</html>
<?php
}
else {

$site = $_POST['url'];

$urlinfo = parse_url($site);
if (!isset($urlinfo['host'])) $urlinfo = parse_url('http://' . $site);

$host = preg_replace('/[^a-z0-9\-\.]/i', '', $urlinfo['host']);

$siteReport = json_decode(file_get_contents('http://api.mywot.com/0.4/public_link_json2?hosts='. $host .'/&key=59e026a43597840e5ddefba4d692be8212926801'));

if( !empty($siteReport->{$host}->categories->{'501'}) && $siteReport->{$host}->categories->{'501'} > $sensitivity ) {
 header('Location: ' . $urlinfo['scheme'] . '://' . $host . (empty($urlinfo['path']) ? '' : $urlinfo['path'])  . (empty($urlinfo['query']) ? '' : '?' . $urlinfo['query']), TRUE, 307);
 exit;
}
else {
  echo 'Bad Site!'; 
}

}

?>

Open in new window

Author

Commented:
thanks

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.