It'd still leave access to any files in the same (or sub) directory starting with http, which realistically would probably be none but still something to bear in mind.
$url = rawurldecode($_GET['url']); $url_without_protocol = str_replace(array('https://', 'http://'), '', $url); $protocol = (stristr($url, 'https://') ? 'https' : 'http'); $page = file_get_contents($protocol . '://' . $url_without_protocol);
u = urlparse(url) if u.scheme not in ['http', 'https']: return 400
It'd still leave access to any files in the same (or sub) directory starting with http, which realistically would probably be none but still something to bear in mind.