Building a Crude Web Proxy in One Line of PHP

A few months ago I had a sudden flash of inspiration. I was fairly familiar with how web servers work and had some experience writing PHP. I had recently purchased hosting for my personal website, and the domain it was hosted on was recently unblocked at my school. I was thinking about the basics of a web proxy: The user tells the proxy what website they want to visit. The proxy then retrieves the website and sends the data back to the user. I thought about using the trust the school filter had put in my personal website to my advantage. I had to try something. I logged in to the basic file editor that came with my host and created a blank PHP document.

<?php ?>

I didn’t want anything fancy. Just something that would work. I started with a website that I knew was blocked — YouTube. A quick Google search revealed the documentation for PHP’s file_get_contents. Its name would imply its usage for files, but it also retrieves the contents of websites.

<?php file_get_contents("http://youtube.com/"); ?>

Now what? According to the documentation, file_get_contents returns the requested file or page as a string. What if I just echoed the result?

<?php echo file_get_contents("http://youtube.com/"); ?>

I saved the page and loaded it in my browser. To my disbelief, there was YouTube. There was just one more change to make.

<?php echo file_get_contents($_GET['url']); ?>

There, now the desired website could be specified without changing the code, and the basics of the proxy were done.

Now, this stills leaves much to be desired. For starters, it is extremely insecure. Specifying a local file instead of a URL will allow anyone to access the server’s file system. It also fails to redirect requests to external files like images, CSS, and JavaScript. But as they say in the textbooks, improvements “are left as an exercise for the reader.”