I'm designing a website but I know if the user enters a wrong character into my url, a not found page will open for him . and I know it can be a way to hack my website. What should I do for that? for example if the user enters a ' into my url like this:
http://example.com/article.php?id=585'
He move to a not found page which I have designed it or move to the first page or the last page he was in.
Thanks.
You have to take 2 things into consideration:
Handling non-existent files
Handling non-existent article ids
Here's how to handle each case:
1) Create an .htaccess file and place it in your website root folder:
RewriteEngine on
ErrorDocument 404 /error.php # change this to your own 404 file path
2) Open the articles.php file and add this to the top (right after checking if your ID exists)
if(!valid_id($id)) {
//if you have php 5.3- use this
header('HTTP/1.1 404 Not Found');
//if you have php 5.4+ use this
//http_response_code(404);
include('error.php'); //change this path to your own 404 file
die();
}
Obviously, valid_id() is just a function example.
You will have to create a custom 404 page. So when your website doesn't get that page, it will show your custom page.
Try this link for custom page.
By the way from id=585'(apostophe after 585), I mean you want to prevent sql injection. Right? Just sanitise the input, that is, check if id is valid for not. You can find a lot of tutorial for that, just google it.
P.S : Believe me, It would take a lot more then a 404 Page to hack your server
just use this:
Open the articles.php file and add this to the top (right after checking if your ID exists)
if(!valid_id($id)) {
header('location:error.php'); exit();//change this path to your own 404 file
}
valid_id() is just a checking function example.
Related
I have a problem with getting Joomla 3 to redirect users to a member page when a 403 is detected.
Upon researching and trying various things for literally days now I've finally given in to having to ask the question.
From my research I understand that the Joomla reads from the templates/system/error.php master file.
I have the following code implemented within the error.php and I have tried forcing it through .htaccess as well and neither work.
$ReferTo = $_SERVER['REQUEST_URI'];
$ReferTo = base64_encode($ReferTo);
if ($this->error->getCode() == '403') {
header('Location: ' . $this->baseurl . '/members'); die();
}
The current behaviour is Joomla just sends the user to a very unhelpful 403 default page.
Any ideas on this one? Thanks so much for any help.
Fortunately I have managed to find a solution by fluke. I dropped the system folder error.php file into all the individual template folders to create a system override. So far Joomla has recognised this.
Create under the main directory of your Joomla website, a 403.html file with the following content:
<meta http-equiv="refresh" content="0; url=http://www.yourwebsite.com/members" />
In your .htaccess file, add the following code:
ErrorDocument 403 /403.html
If you only want to do that for certain requests, then redirect to a 403.php file in your .htaccess file (instead of redirecting to 403.html file), check the REQUEST URI to see if it is indeed coming from the members area, and then redirect back to the members page.
Joomla creates/raises a 403 event, when trying to access a protected article. So editing the file System / error.php or within the template itself did not work. Also the other solutions in .htaccess or httpd.conf using ErrorDocument did not work.
I also tried the code this-> error-> getCode () == '403', but it doesn't fire.
The only solution I found was to modify the HTML view for the articles to redirect to an article where I show a login and a personalized message.
The file to modify is components / com_content / views / article / view.html.php line 134 to 139
Joomla 3.9.20
The code to replace is the following:
// Check the view access to the article (the model has already computed the values).
if ($ item-> params-> get ('access-view') == false && ($ item-> params-> get ('show_noauth', '0') == '0'))
{
$ app-> enqueueMessage (JText :: _ ('JERROR_ALERTNOAUTHOR'), 'error');
$ app-> setHeader ('status', 403, true);
return;
}
For this
// Check the view access to the article (the model has already computed the values).
if ($item->params->get('access-view') == false && ($item->params->get('show_noauth', '0') == '0'))
{
header('Location:https://www.yourwebpage/withLoginandCustomMessage.php');
die();
}
This will only be shown to users trying to view articles that require registration or with other ACLs.
I am aware that we should not edit the files since in a Joomla update, these changes could be lost, but it was the only solution I found (neither modules or plugins covered this problem and apparently it is something that is brought from joomla 1.5).
I'm trying to send a 404 header after the page loads and was wondering if there were any solutions. Essentially, a database is searched to see if the url is valid and corresponds to valid content. If it doesn't, it will "include()" an error.php file.
Is there anyway that I can write an htaccess rule that says, whenever this file is loaded, throw a 404? How else could I send that 404 inside of the error.php file, since it is not the first thing to be displayed?
Call this first on error.php, before outputting any error text.
<?php
header("HTTP/1.0 404 Not Found");
?>
You can always use the header-function, just remember to do that before you output anything else.
I would recomend doing that instead of including another file, and then configure your server to serve an appropiate 404 file.
PHP docs header function
In PHP is there any way to catch a 404 not found?
If a user ends up on a 404, I want them to be redirected to a known page, but to display something different if it is due to a 404 error.
Something like
if($_SERVER['HTTP_REFERER'] == 404){
echo("You've been redirected!");
}
Thanks in advance
PHP is only given the path to the page that referred you to the current page, it can't retrieve the status code for that page.
You shouldn't need to redirect the page when the page specified doesn't exist. In Apache you can specify the ErrorDocument to be a PHP file, just append a query string to the file such as ErrorDocument /index.php?error=404 so that your PHP file knows the page being requested doesn't exist. This way you can display the error straight to the user on the same page and the URL isn't lost. You don't need session or server variables, just a $_GET['error'] to check if there is an error code provided to the page.
Or, you can specify a pre-built document that is just a 404 error page, such as an ErrorDocument my404error.html, which will be displayed without any server-side processing for the page which is not found.
Typical scenario:
DB items are displaied in page http://...?item_id=467
User one day deletes
the item
Google or a user
attempts to access http://...?item_id=467
PHP diggs into DB and sees items does not exist anymore, so now PHP must tell
Google/user that item is not existing via a 404 header and page.
According to this answer I undertstood there is no way to redirect to 404 Apache page via PHP unless sending in code the 404 header + reading and sending down to client all the contents of your default 404 page.
The probelm: I already have an Apache parsed custom 404.shtml page, so obvioulsy I would like to simply use that page.
But if i read an shtml page via PHP it won't be parsed by Apache anymore.
So what do you suggest me to do?
Is there maybe some trick I could use palying with htaccess too?
Thanks,
Hmm. Two ideas come to mind:
Redirect to the 404 page using header("Location:...") - this is not standards-compliant behaviour though. I would use that only as a last straw
Fetch and output the Apache-parsed SHTML file using file_get_contents("http://mydomain.com/404.shtml"); - also not really optimal because a request is made to the web server but, I think, acceptable in most cases.
I doubt there is anything you can do in .htaccess because the PHP script runs after any rewrite rules have already been parsed.
IF you are using apache mod_php, use virtual('/404.shtml'); to display the parsed shtml page to your user.
I was trying to do this exact same thing yesterday.
Does Pekka's file_get_contents/include result in a 404 status header being sent? Perhaps you need to do this before including the custom error page?
header($_SERVER["SERVER_PROTOCOL"]." 404 Not Found");
You can test using this Firefox extension.
I was looking exactly for something like you needed, so you have a page:
http://example.com/page?item_id=456
and if later you want that if item is missing you are redirected to:
http://example.com/page_not_found?item_id=456
In reality I found it is much more maintainable solution to just use the original page as 404 page.
<?php
$item = findItem( $_GET['item_id']);
if($item === false){
//show 404 page sending correct header and then include 404 message
header( $_ENV['SERVER_PROTOCOL'].' 404 Not Found', true );
// you can still use $_GET['item_id'] to customize error message
// "maybe you were looking for XXX item"
include('somepath/missingpage.php');
return;
}
//continue as usual with normal page
?>
So if item is no longer in the DB, the 404 page is showed but you can provide custom items in replace or error messages.
I'm creating a PHP CMS and have some system pages like a 404 page, a maintenance page, and an unauthorized access page. When Page A isn't found, the CMS will redirect to the 404 page; if the user doesn't have access to Page B, it will redirect to the unauthorized access page, etc.
I'd like to use the proper status code in the header of each page, but I need clarification on how to handle the header/redirect. Do I put the 404 header on Page A and then redirect to the 404 page or do I put the 404 status on the 404 page itself? Also, if the latter is the correct answer, what kind of redirect should I use to get there, a 301 or a 302?
If a user arrives on page A and that page doesn't exist, then do not redirect : just send a 404 error code from page A -- and, to be nice for your user, an HTML content indicating that the page doesn't exist.
This way, the browser (and it's even more true for crawlers ! ) will know that the page that is not found is page A, and not anything else you'd have tried to redirect to.
Same for other kind of errors, btw : if a specific URL corresponds to an error, then, the error code should be sent from that URL.
Basically, something as simple as this should be enough :
if (page not found) {
header("404 Not Found");
echo "some nice message that says the page doesn't exist";
die;
}
(Well, you could output something nicer, of course ; but you get the idea ;-) )
I'm not sure if the redirecting is the best way for doing this. Id rather use some built in functionality that is included into the project.
If the data is not found, do not redirect the user to another page, just send him an error message, like Hey, this site does not exists! Try an other one and so.
And not at the end, you should build into the code, the code-part from the answer of Pascal Martin.
I would do this into a function, and call it from a bootstrap or something with a similar behavior.
function show_error($type="404", $header = true, $die = false)
{
if($header)
header("404 Not Found");
echo file_get_contents($type.'.php');
if($die) die; //
// and so on...
}