-1

I've been trying to get an error page (404) to work, well, it does work, but I can't get it to report what file the user tried to access.

In the script I'm calling the REQUEST_URI

$requri = getenv ("REQUEST_URI"); I've also tried $requri = ($_SERVER['REQUEST_URI']);

Both of them seems to report "404.php", which is the error page itself, and not the faulty address they wrote..

I've got no idea why it thinks the error page is the requested page... Unless the .htaccess command; ErrorDocument 404 https://mydomain.se/404.php Is faulty, but I don't think it is.

JoBe
  • 407
  • 2
  • 14

2 Answers2

0

Instead of using ErrorDocument, you should (1) handle 404s in your application using a router or (2) use RewriteRule, as shown in this post.

Once you do the above, $_SERVER['REQUEST_URI'] is, indeed, what you want. But you should never echo it out in raw form. It could easily contain an XSS attack. Instead, assuming you're just displaying it on screen (not in a parameter of an HTML tag or something), you would use htmlentities(), as in

echo htmlentities($_SERVER['REQUEST_URI']);
Community
  • 1
  • 1
elixenide
  • 44,308
  • 16
  • 74
  • 100
  • The xss isn't a problem (I think), I'm actually pretty new to all this, but I basically wants the system to send a mail with the info about the error.. – JoBe May 20 '17 at 20:49
  • @JoBe XSS absolutely *is* a problem; it's among the most prevalent attack vectors. As a rule, you should *never* trust user input of any kind, and the URL requested is definitely user input. – elixenide May 20 '17 at 20:57
  • Ok, I was not trying to claim that xxs isn't a problem, I don't even know what it is, but whatever it is, it surely can't mess with the php sending the string to me by mail? – JoBe May 20 '17 at 21:14
  • @JoBe It definitely can cause problems. XSS is less of an issue in emails than in webpages, but that doesn't mean you can ignore it. And there are other types of injection that can be used in an email context. Again, the rule is always to treat the data as dangerous, even if you don't know how it could be used in an attack. – elixenide May 20 '17 at 21:38
  • Ok, well I never heard of it, I'll think I need to look it up, thx for the tip. – JoBe May 21 '17 at 08:32
0

Indeed, you want to use $_SERVER["REDIRECT_URI"]. I just looked up that sometimes I do this with htmlspecialchars(strip_tags(stripslashes($_SERVER["REQUEST_URI"])))

Note however that I suggest you use ErrorDocument 404 /404.php (local instead of full url) for the redirection (or even use a single /error.php for several status codes such as 401 and 403 and evaluate $_SERVER["REDIRECT_STATUS"])

Hagen von Eitzen
  • 2,109
  • 21
  • 25
  • This one worked fine, assortment l apparently the server took the call for the error 404 php file as Uri if you write the complete path (http://myserver.com/404.php), but calling locally, as suggested by Hagen von Eitzen (/404.php) worked! – JoBe May 20 '17 at 20:58