0

I'm designing a website but I know if the user enters a wrong character into my url, a not found page will open for him . and I know it can be a way to hack my website. What should I do for that? for example if the user enters a ' into my url like this:

http://example.com/article.php?id=585'

He move to a not found page which I have designed it or move to the first page or the last page he was in. Thanks.

IVIajid
  • 190
  • 9
  • 2
    You can't prevent the users from typing any URL they want. All you can do is configure on your server what page they're redirected to when they get a 404 response. It's unclear why you think that typing a nonexistent URL is a way to "hack your website". – Sam Hanley Nov 11 '14 at 19:07
  • http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – Umair Ayub Nov 11 '14 at 19:07
  • How exactly is that a hack? – Jonathan Kuhn Nov 11 '14 at 19:07
  • you should prevent _sql injection_ if you need to consider that as _hack_ – itachi Nov 11 '14 at 19:08
  • They can't hack your website if the page doesn't exist, and they can't hack your website if you don't give them a security breach with which to hack into. The only thing I can think of for typos is if you load up your .htaccess with a ton of mistyped URLs and redirect to the proper page, which would be a nightmare. – timgavin Nov 11 '14 at 19:12
  • @JonathanKuhn sql injection – IVIajid Nov 11 '14 at 19:12
  • @Tim I mean sql injection – IVIajid Nov 11 '14 at 19:16
  • And what if they enter the site through a faulty URL in google and they don't have a first or last page? : – DarkBee Nov 11 '14 at 19:17

3 Answers3

1

You will have to create a custom 404 page. So when your website doesn't get that page, it will show your custom page.

Try this link for custom page.

By the way from id=585'(apostophe after 585), I mean you want to prevent sql injection. Right? Just sanitise the input, that is, check if id is valid for not. You can find a lot of tutorial for that, just google it.

P.S : Believe me, It would take a lot more then a 404 Page to hack your server

Community
  • 1
  • 1
Ayush choubey
  • 606
  • 6
  • 23
1

You have to take 2 things into consideration:

  1. Handling non-existent files
  2. Handling non-existent article ids

Here's how to handle each case:

1) Create an .htaccess file and place it in your website root folder:

RewriteEngine on
ErrorDocument 404 /error.php # change this to your own 404 file path

2) Open the articles.php file and add this to the top (right after checking if your ID exists)

if(!valid_id($id)) {
    //if you have php 5.3- use this
    header('HTTP/1.1 404 Not Found');

    //if you have php 5.4+ use this
    //http_response_code(404);

    include('error.php'); //change this path to your own 404 file
    die();
}

Obviously, valid_id() is just a function example.

Andres SK
  • 10,779
  • 25
  • 90
  • 152
0

just use this:

Open the articles.php file and add this to the top (right after checking if your ID exists)

if(!valid_id($id)) {

    header('location:error.php'); exit();//change this path to your own 404 file
}

valid_id() is just a checking function example.

Ahosan Karim Asik
  • 3,219
  • 1
  • 18
  • 27