Submitting a URL into a Form without "http://", with "www.", or with neither

Question

(EDITED)

Hello,

In the form below, the field for <div class="urlfield"><input name="url" type="url" id="url" maxlength="500"></div> fine when a URL is submitted that has a "http://" at the beginning of it.

However, it doesn't work if a URL is submitted with only a "www." in front of it, or with neither a "http://" nor a "www."

How can I make it work if the submitted URL has any or none of the following at the beginning of it:

http://

www.

http://www.

Thanks in advance,

John

Form:

echo '<div class="submittitle">Submit an item.</div>';  

echo '<form action="http://www...com/.../submit2.php" method="post"> 
    <input type="hidden" value="'.$_SESSION['loginid'].'" name="uid">  

 <div class="submissiontitle"><label for="title">Story Title:</label></div> 
    <div class="submissionfield"><input name="title" type="title" id="title" maxlength="1000"></div>  

 <div class="urltitle"><label for="url">Link:</label></div> 
    <div class="urlfield"><input name="url" type="url" id="url" maxlength="500"></div>

    <div class="submissionbutton"><input name="submit" type="submit" value="Submit"></div> 
</form>
';

submit2.php:

<?php
if($_SERVER['REQUEST_METHOD'] == "POST"){header('Location: http://www...com/.../submit2.php');}

require_once "header.php";


if (isLoggedIn() == true)
{

$remove_array = array('http://www.', 'http://', 'https://', 'https://www.', 'www.');
$cleanurl = str_replace($remove_array, "", $_POST['url']);
$cleanurl = strtolower($cleanurl);
$cleanurl = preg_replace('/\/$/','',$cleanurl);
$cleanurl = stripslashes($cleanurl);

$title = $_POST['title'];
$uid = $_POST['uid'];
$title = mysql_real_escape_string($title);
$title = stripslashes($title);

$cleanurl = mysql_real_escape_string($cleanurl);

$site1 = 'http://' . $cleanurl;

$displayurl = parse_url($site1, PHP_URL_HOST);

function isURL($url1 = NULL) {
        if($url1==NULL) return false;

        $protocol = '(http://|https://)';
        $allowed = '[-a-z0-9]{1,63}';

        $regex = "^". $protocol . // must include the protocol
                         '(' . $allowed . '\.)'. // 1 or several sub domains with a max of 63 chars
                         '[a-z]' . '{2,6}'; // followed by a TLD
        if(eregi($regex, $url1)==true) return true;
        else return false;
}



if(isURL($site1)==true)
 mysql_query("INSERT INTO submission VALUES (NULL, '$uid', '$title', '$cleanurl', '$displayurl', NULL)");
else
 echo "<p class=\"topicu\">Not a valid URL.</p>\n";

} else {
    show_loginform();
}

if (!isLoggedIn())
{
    if (isset($_POST['cmdlogin']))
    {
        if (checkLogin($_POST['username'], $_POST['password']))
        {
            show_userbox();
        } else
        {
            echo "Incorrect Login information !";
            show_loginform();
        }
    } else
    {
        show_loginform();
    }

} else
{
    show_userbox();
}

require_once "footer.php";

?>

Answer 1

Without the protocol (http://), a browser should consider the url relative.

Get rid of the host (www...com) part, and start from the following slash to use the url relative to the domain's document root.

Alternatively, use an url relative to the url of the page where the form resides (could be "../../something/else/submit.php" for example.

To build a relative url dynamically without resorting to the domain root, you may find the predefined variable $_SERVER['PHP_SELF'] useful (the exact contents of which may vary depending on which web server is in question).

Answer 2

It looks fine to me, but Echo the value of the passed url at several points to see where the code is failing.

Edit try making $cleanurl = mysql_real_escape_string($cleanurl);

$cleanurl = mysql_real_escape_string(trim($cleanurl));