homepage Welcome to WebmasterWorld Guest from 54.166.105.24
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Best way to redirect an invalid query string in PHP
bad bot, or url hackers...here are the options I've found.
maherphil




msg:3041796
 9:06 pm on Aug 10, 2006 (gmt 0)

So I've got a little site that looks like this.

[mysite.com...]

...so what should happen if some bad bot or joker types in an invalid ID.

Here is what I've learned.

1. You can do a redirect to a homepage or 404 error...by using:

header("Location: [mysite.com");...]
OR
header("HTTP/1.0 404 Not Found");

2. You could just kill (using die or exit() ) it by doing a:

$rows = mysql_num_rows($result);
if ($rows==0){
die ("invalid ID");
OR
exit();
}

Questions:
-In example 1 what are the pros and cons redirecting to homepage vs. and error page? From a bandwidth perspective would it be wise to just 404 them? Maybe even custom 404 them with a link to the homepage just incase they are a real user?

-If you go the error page route, which page would be best to use? 404 303, 306...ie ("306 Not Used HTTP/1.1");

-Am I missing something? Is there another way (especially since a the header: command can't have any html above it...kind of annoying like that :)

-Are there any SEO implications of dup content or something if a legit bot gets a bad url from another site and it redirects to the homepage?

 

StupidScript




msg:3041902
 10:07 pm on Aug 10, 2006 (gmt 0)

In either case (bot with bad info or malicious visitor), I'd just exit.

if ($rows<1) { exit(); }

1) Saves bandwidth by stopping it dead
2) Good bots won't store the result (0 bytes returned)

If you wanted to be certain about what the bot might store, send a 404, but personally, I'd make an attempt to filter bots first, then simply drop malicious visitors while sending only bots the 404.

[edited by: StupidScript at 10:09 pm (utc) on Aug. 10, 2006]

maherphil




msg:3042685
 2:22 pm on Aug 11, 2006 (gmt 0)

Thx StupidScript,

I guess my only concern is about real visitors that maybe mistype a url (not that a real visitor should be typing anyway...they should be clicking the links, not hacking urls), should i do a custom 404 with a link to the homepage and some main sections then?

slade7




msg:3042687
 2:26 pm on Aug 11, 2006 (gmt 0)

function kill_bad_guy($lastwords)
{
$uip = $_SERVER['REMOTE_ADDR'];
die("$lastwords");
}

if(guy-does-something-malicious){
kill_bad_guy("You suck, dude. Adios.");
$sql = "INSERT INTO jerks (ip_addy) VALUES('$uip')";
}

Easier to manage if you do it at the very top of any file that's dependent on user input. Helps collect a nice table of jerks.

Alternately you could figure out whether it's a bot and send them off to a honeypot or something I suppose.

If it is a matter of someone arriving without ANY info, then you can use header to send them back where they came from.

jetboy




msg:3042695
 2:35 pm on Aug 11, 2006 (gmt 0)

Whatever else you do, if the requested page isn't part of your site, return a 404. Ideally it should be a helpful 404, but it should definitely have a 404 Not Found header.

StupidScript




msg:3042893
 4:58 pm on Aug 11, 2006 (gmt 0)

In the case of a mistyped URL, you should set your ErrorDocument instruction within your web server setup for that domain to the home page or something equally useful.

The problem of an invalid id being passed as part of the $_GET array is different, though. Nobody should be modifying those directly, and an error depends on an SQL query that returns no rows, as you have already posted.

An invalid id in $_GET won't trigger the ErrorDocument, but a mistyped/bad URL will.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved