Welcome to WebmasterWorld Guest from 54.158.36.59

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Best way to redirect an invalid query string in PHP

bad bot, or url hackers...here are the options I've found.

     
9:06 pm on Aug 10, 2006 (gmt 0)

10+ Year Member



So I've got a little site that looks like this.

[mysite.com...]

...so what should happen if some bad bot or joker types in an invalid ID.

Here is what I've learned.

1. You can do a redirect to a homepage or 404 error...by using:

header("Location: [mysite.com");...]
OR
header("HTTP/1.0 404 Not Found");

2. You could just kill (using die or exit() ) it by doing a:

$rows = mysql_num_rows($result);
if ($rows==0){
die ("invalid ID");
OR
exit();
}

Questions:
-In example 1 what are the pros and cons redirecting to homepage vs. and error page? From a bandwidth perspective would it be wise to just 404 them? Maybe even custom 404 them with a link to the homepage just incase they are a real user?

-If you go the error page route, which page would be best to use? 404 303, 306...ie ("306 Not Used HTTP/1.1");

-Am I missing something? Is there another way (especially since a the header: command can't have any html above it...kind of annoying like that :)

-Are there any SEO implications of dup content or something if a legit bot gets a bad url from another site and it redirects to the homepage?

10:07 pm on Aug 10, 2006 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



In either case (bot with bad info or malicious visitor), I'd just exit.

if ($rows<1) { exit(); }

1) Saves bandwidth by stopping it dead
2) Good bots won't store the result (0 bytes returned)

If you wanted to be certain about what the bot might store, send a 404, but personally, I'd make an attempt to filter bots first, then simply drop malicious visitors while sending only bots the 404.

[edited by: StupidScript at 10:09 pm (utc) on Aug. 10, 2006]

2:22 pm on Aug 11, 2006 (gmt 0)

10+ Year Member



Thx StupidScript,

I guess my only concern is about real visitors that maybe mistype a url (not that a real visitor should be typing anyway...they should be clicking the links, not hacking urls), should i do a custom 404 with a link to the homepage and some main sections then?

2:26 pm on Aug 11, 2006 (gmt 0)

10+ Year Member



function kill_bad_guy($lastwords)
{
$uip = $_SERVER['REMOTE_ADDR'];
die("$lastwords");
}

if(guy-does-something-malicious){
kill_bad_guy("You suck, dude. Adios.");
$sql = "INSERT INTO jerks (ip_addy) VALUES('$uip')";
}

Easier to manage if you do it at the very top of any file that's dependent on user input. Helps collect a nice table of jerks.

Alternately you could figure out whether it's a bot and send them off to a honeypot or something I suppose.

If it is a matter of someone arriving without ANY info, then you can use header to send them back where they came from.

2:35 pm on Aug 11, 2006 (gmt 0)

10+ Year Member



Whatever else you do, if the requested page isn't part of your site, return a 404. Ideally it should be a helpful 404, but it should definitely have a 404 Not Found header.
4:58 pm on Aug 11, 2006 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



In the case of a mistyped URL, you should set your ErrorDocument instruction within your web server setup for that domain to the home page or something equally useful.

The problem of an invalid id being passed as part of the $_GET array is different, though. Nobody should be modifying those directly, and an error depends on an SQL query that returns no rows, as you have already posted.

An invalid id in $_GET won't trigger the ErrorDocument, but a mistyped/bad URL will.

 

Featured Threads

Hot Threads This Week

Hot Threads This Month