Best way to redirect an invalid query string in PHP - PHP Server Side Scripting forum at WebmasterWorld - WebmasterWorld

Forum Moderators: coopster

Message Too Old, No Replies

Best way to redirect an invalid query string in PHP

bad bot, or url hackers...here are the options I've found.

maherphil

9:06 pm on Aug 10, 2006 (gmt 0)

10+ Year Member

So I've got a little site that looks like this.

[mysite.com...]

...so what should happen if some bad bot or joker types in an invalid ID.

Here is what I've learned.

1. You can do a redirect to a homepage or 404 error...by using:

header("Location: [mysite.com");...]
OR
header("HTTP/1.0 404 Not Found");

2. You could just kill (using die or exit() ) it by doing a:

$rows = mysql_num_rows($result);
if ($rows==0){
die ("invalid ID");
OR
exit();
}

Questions:
-In example 1 what are the pros and cons redirecting to homepage vs. and error page? From a bandwidth perspective would it be wise to just 404 them? Maybe even custom 404 them with a link to the homepage just incase they are a real user?

-If you go the error page route, which page would be best to use? 404 303, 306...ie ("306 Not Used HTTP/1.1");

-Am I missing something? Is there another way (especially since a the header: command can't have any html above it...kind of annoying like that :)

-Are there any SEO implications of dup content or something if a legit bot gets a bad url from another site and it redirects to the homepage?

StupidScript

10:07 pm on Aug 10, 2006 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

In either case (bot with bad info or malicious visitor), I'd just exit.

if ($rows<1) { exit(); }

1) Saves bandwidth by stopping it dead
2) Good bots won't store the result (0 bytes returned)

If you wanted to be certain about what the bot might store, send a 404, but personally, I'd make an attempt to filter bots first, then simply drop malicious visitors while sending only bots the 404.

[edited by: StupidScript at 10:09 pm (utc) on Aug. 10, 2006]

maherphil

2:22 pm on Aug 11, 2006 (gmt 0)

10+ Year Member

Thx StupidScript,

I guess my only concern is about real visitors that maybe mistype a url (not that a real visitor should be typing anyway...they should be clicking the links, not hacking urls), should i do a custom 404 with a link to the homepage and some main sections then?

slade7

2:26 pm on Aug 11, 2006 (gmt 0)

10+ Year Member

function kill_bad_guy($lastwords)
{
$uip = $_SERVER['REMOTE_ADDR'];
die("$lastwords");
}

if(guy-does-something-malicious){
kill_bad_guy("You suck, dude. Adios.");
$sql = "INSERT INTO jerks (ip_addy) VALUES('$uip')";
}

Easier to manage if you do it at the very top of any file that's dependent on user input. Helps collect a nice table of jerks.

Alternately you could figure out whether it's a bot and send them off to a honeypot or something I suppose.

If it is a matter of someone arriving without ANY info, then you can use header to send them back where they came from.

jetboy

2:35 pm on Aug 11, 2006 (gmt 0)

10+ Year Member

Whatever else you do, if the requested page isn't part of your site, return a 404. Ideally it should be a helpful 404, but it should definitely have a 404 Not Found header.

StupidScript

4:58 pm on Aug 11, 2006 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

In the case of a mistyped URL, you should set your ErrorDocument instruction within your web server setup for that domain to the home page or something equally useful.

The problem of an invalid id being passed as part of the $_GET array is different, though. Nobody should be modifying those directly, and an error depends on an SQL query that returns no rows, as you have already posted.

An invalid id in $_GET won't trigger the ErrorDocument, but a mistyped/bad URL will.