0

I am developing with PHP on an Apache web server. I would like to know if there's a way to force the server to serve a custom error page whenever any of the following events occurs:

  • The page the user is looking for does not exist (I would like to serve the custom error page instead of the classic '404 Not Found');
  • The user changed the value of the value='' attribute of an or the value of a name='' attribute and then send the form with wrong values (for example I have an where the value attribute represents the id of a product that is going to be purchased or an univocal row in a database that is going to be cancelled. I want to prevent ambiguous behaviour e.g. when the user changes the value attribute from the 'inspect element' browser's tool, and then submits a form;
  • The user changed the ?query_string=value and then clicked on a link or submitted a form with action attribute set to "page.php?query_string=value".

So whenever any of these ambiguous events occur (I know it may seem stupid for a user to change the value of attributes of the input elements when purchasing something, but who knows) I would like to throw a page like the one on facebook with the broken finger when for example you try to visit https://www.facebook.com/hello.php.

How can I achieve that? Do I need to configure something or I can do it directly with PHP?

Thanks in regards!

tonix
  • 6,671
  • 13
  • 75
  • 136

1 Answers1

1

What you could do is redirect a person based on the page he visits. A lot of frameworks have build-in route validation for that. Take for example: http://symfony.com/doc/master/book/routing.html

If a route does not match, it will display the framework's 404 page. You can't really send them to that page based on user input, what you rather have is (in case of forms) validate and display an error if it goes wrong. Symfony2 (in this case) also provides CSRF tokens to prevent XSS for example. http://symfony.com/doc/current/book/forms.html

This is pretty much all programming you need to do to secure your website and validate the user input. NEVER trust what the user sends to you, that includes $_SERVER variables ;)

Anyone
  • 2,814
  • 1
  • 22
  • 27
  • I'll take a look to that links, thanks! Why "includes $_SERVER variables"? – tonix Jan 05 '14 at 21:59
  • Because it contains values that the clients, for example the HTTP_USER_AGENT. This could very well include a string that can cause SQL injection or similar ;) – Anyone Jan 05 '14 at 22:03
  • Even something like `include($_SERVER['DOCUMENT_ROOT'] . '/path_to/php_file.php');`? – tonix Jan 05 '14 at 22:36
  • 1
    In theory, yes. If someone were to be able to change that value one way or another, you could suddenly include external files. "If "URL include wrappers" are enabled in PHP, you can specify the file to be included using a URL (via HTTP or other supported wrapper - see Supported Protocols and Wrappers for a list of protocols) instead of a local pathname." – Anyone Jan 05 '14 at 22:53