1

For security purposes, I fake this in one place in my code for certain requests:

http_response_code(404);
die();

This will return the correct (fake) "404 Not Found" HTTP status code, and show a blank page.

I could of course replicate/fake the error page as well, for example by simply copying it, storing it separately and then echoing it before/with the die() call. However, this I consider "ugly", and will tie my code to specifically the built-in PHP webserver, and possibly make it differ after some time, if the PHP developers change it in the future. It's just not a good solution.

I want this to be completely independent on the webserver and everything. I want to provoke the webserver to send its genuine default "404 Not Found" webpage, no matter what it looks like. And I don't want it to reveal that it's not the right error page, for example by saying:

Could not find "dummydummydummydummy.php?blablabla=123" on this server.

That is, the solution must not consist of "internally faking" the request URI or anything like that.

I want it to appear as if the request truly is not valid, even though the page technically exists.

From PHP. Not some webserver-dependent configuration. (I got quite enough of that after 20 years of the Apache HTTP Server's manual.)

Corkey Adviento
  • 21
  • 1
  • Apart from cURL-ing a non-existing URL and outputting the result (which is a bit awkward / non-ideal, but should work), I'm not sure that's doable. – Jeto Nov 14 '20 at 20:01
  • @Jeto That would reveal that the "requested" URL does not match the actual URL. – Corkey Adviento Nov 14 '20 at 20:18
  • How exactly would that reveal anything? I'm not talking about a redirection or any sort, I'm talking about actually making a cURL request inside your script. There should be no way to know that from the client's perspective. – Jeto Nov 14 '20 at 20:21
  • @Jeto The error message mentions the URL requested, so it would display something different from what the user actually has in their browser address bar. – Corkey Adviento Nov 14 '20 at 20:29
  • What error message? If you cURL a non-existing page, you'll get the default 404 page's HTML ("404 Not Found"), exactly as you requested. – Jeto Nov 14 '20 at 21:33
  • @Jeto This error message: > Not Found > > The requested resource /blablablablafakefile was not found on this server. – Corkey Adviento Nov 14 '20 at 21:39
  • But why would it show that? This is not PHP built-in webserver's error message. The default error message is "404 Not Found", without any mention of any URL. I've just tested it, btw. – Jeto Nov 14 '20 at 21:45
  • [Here's a quick code sample.](https://3v4l.org/Pir3Y) – Jeto Nov 14 '20 at 22:01
  • How about doing the opposite: make sure **all** 404s render a custom template? The effect to the user is the same, but now all you have to do is ensure all requests are routed to PHP. I'm assuming (or hoping!) that you're not actually using the built in PHP web server in production, so I doubt you'll be able to guarantee behaviour across all possible web servers otherwise. – IMSoP Nov 14 '20 at 22:59
  • @Jeto That's very strange. I have certainly not modified it, and I run PHP 7.4.12. – Corkey Adviento Nov 15 '20 at 07:13
  • @IMSoP Not outside my machine, no, since they warn about that, but I sure wish that I *could*, since I strongly dislike Apache HTTP Server and nginx's requirement to change the default config for it to not listen to the world. Still, one might say that this is still "in production", although only localhost on my machine. – Corkey Adviento Nov 15 '20 at 07:15

0 Answers0