404 redirect script not working

galahad3 · 09-17-2009, 09:58 AM

Hi, I've set up a PHP script which checks the inputted URL against records in a db, and does one of two things- (1) sends the user to a specified URL if the typed URL matches a record in the db, or (2) just outputs the 404 ewrror page if there's no match in the db.

The problem is that it always outputs the 404, regardless of whether or not there's a matching record in the db. I guess something must be wrong with the script but I can't see what:

This is the code:

<?php
include ('manager/exhibitions/inc/dbconnect.php');

$query = "SELECT showname FROM exhibitionstable WHERE showname = '". mysql_real_escape_string($_SERVER['REQUEST_URI']) ."' ";

$numresults=mysql_query($query);
$numrows=mysql_num_rows($numresults);

if ($numrows == 0)
{
echo "<p>404 error</p>";
}
else
{
header('location: exhibitions.html');
exit;
}
?>

Any ideas?

SKDevelopment · 09-17-2009, 10:07 AM

I would try 2 things:

1) echo your $query. It sometimes helps to see the problem at once. I would also try to run the echoed query outside of PHP (from phpMyAdmin or - if under Windows - HeidiSQL).

2) try to output MySQL error message

PHP Code:


			
$numresults=mysql_query($query) or die(mysql_error());

Of course or die(mysql_error()); must be commented or removed in the Production environment.

galahad3 · 09-17-2009, 10:14 AM

Thanks, tried echoing the $query and interestingl;y it displays in the output page:

SELECT showname FROM exhibitionstable WHERE showname = '/Show2'

"Show2" being the typed URL- but what I don't see is where on earth it's getting the slash from as it isn't in the SELECT statement...

I guess it's picking it from the typed URL but I need a way of stopping the script including it...

???

SKDevelopment · 09-17-2009, 10:41 AM

Do you need to cut off the query string ? (the part of URL after "?" e.g. in URL's like /my_script?a=1).

I think you could use basename() and String functions like this:

PHP Code:


			
$name = basename($_SERVER['REQUEST_URI']);

if(false!==strpos($name,'?'))

{

 $name = substr($name,0,strpos($name,'?'));

}

galahad3 · 09-17-2009, 11:00 AM

Okay- so we can then use $name in place of the global SERVER variable inside the $query, right?

Thanks

SKDevelopment · 09-17-2009, 11:27 AM

Yes.

If you need stricter validation for anything that comes from $_SERVER['REQUEST_URI'], you could also use regular expressions. I am not absolutely sure if $_SERVER['REQUEST_URI'] could be changed by a potential attacker (maybe not). And also your script already looks like a validation script so I mentioned this just in case.

String functions are usually considered much faster but regular expression normally give more control on what you validate without writing a lot of code. Regexps are slower but in cases where I want to be absolutely sure that something exactly corresponds the required pattern I always use regexps.

galahad3 · 09-17-2009, 01:52 PM

That seems to be working- many thanks. It's forwarding to the speciofied page if the URL matches the db entry anyway so that's a big step forwards.

Many thanks for the pointers.

[Hmm... well it *was* working... but now in the testing echo I get this output:

SELECT showname FROM exhibitionstable WHERE showname = 'fixed.htc'

Where that comes from I've no idea as it certainly isn't in the database!

This is the current code:

<?php
include ('manager/exhibitions/inc/dbconnect.php');

$name = basename($_SERVER['REQUEST_URI']);
if(false!==strpos($name,'?'))
{
$name = substr($name,0,strpos($name,'?'));
}

$query = "SELECT showname FROM exhibitionstable WHERE showname = '". mysql_real_escape_string($name) ."' ";

echo $query;

$numresults=mysql_query($query) or die(mysql_error());
$numrows=mysql_num_rows($numresults);

if ($numrows == 0)
{
echo "<p>404 error</p>";
}
else
{
header('location: exhibitions.html');
exit;
}
?>

What's interesting if that it worked ONCE, I typed in http://mydomain/travejl.html and travejl.html is an entry in the db) and it forwarded to exhibitions.html.

But now it just shows the output as above...

galahad3 · 09-17-2009, 04:28 PM

Okay, this is *very* weird.

For some reason, it only works once for each mis-typed URL, and ONLY if I make some arbitrary change to the script, undo the change, and save the script!

For example:

I save and upload the script
I type in a URL which is in the db, for example, mydomain.com/GNETIG
It forward to exhibitions.html. GREAT!

But...

I go back and type the URL again (even after completely clearing the cache or using a different machine) and it doesn't work. It just goes to the 404 output.

However if I stay on that page, go and re-save the script file again, and then refresh the page- bingo, it forwards to the exhibitions.html page.

Why would it be doing this?! Obviously it isn't workable as it needs to work every time, not just one time only and just after the script has been saved. Also I tested from a separate machine that hadn't browsed to that page before, and got the same result, so it's not session-based.

I should note that when I re-save the script I'm not making any changes to it. The script itself seems to work fine.

Anyone know why this bizarre behavior would take place?

SKDevelopment · 09-17-2009, 04:39 PM

I think you would need to debug ... Echo $_SERVER['REQUEST_URI'] each time instead of redirecting, echo the query, check how many rows returned - if 0, run the SELECT query on the table and see why this happened ...

Most important - check that the script names are present in the table exhibitionstable and no script deletes them from the table.

galahad3 · 09-17-2009, 04:55 PM

Well, if I change the script so I echo the SERVER variable instead:

if ($numrows == 0)
{
echo "$_SERVER['REQUEST_URI']";
}

I actually get no output at all from the script...

There are no other swcripts running on the table and I've also manually checked the table and found all the records are still in place and unchanged...

SKDevelopment · 09-17-2009, 05:05 PM

The correct syntax is either

PHP Code:


			
echo $_SERVER['REQUEST_URI'];

or

PHP Code:


			
echo "{$_SERVER['REQUEST_URI']}";

No output means the error output is suppressed.

Add the following to the very top of the script while debugging:

PHP Code:


			
error_reporting(E_ALL);
ini_set('display_errors','1');

After debugging is over, please comment or delete these 2 lines.

galahad3 · 09-17-2009, 05:09 PM

Okay, interestingly it now outputs as follows:

SELECT showname FROM exhibitionstable WHERE showname = 'fixed.htc' /fixed.htc

I still have no idea what fixed.htc is or where the script gets this from, as it certainly isn't in the db nor is in the typed URL. ???

SKDevelopment · 09-17-2009, 05:17 PM

How do you redirect to this script to process URL's ? With .htaccess ? You are using Apache mod_rewrite ? If .htaccess does not contain any information you consider sensitive (only in this case) could you post the file content here ?

galahad3 · 09-17-2009, 05:26 PM

There is a .htaccess in the web root, this is the contents of the file:

Options +FollowSymlinks
RewriteEngine On
RewriteBase /

# Fix Apache internal dummy connections from breaking [(site_url)] cache
RewriteCond %{HTTP_USER_AGENT} ^.*internal\ dummy\ connection.*$ [NC]
RewriteRule .* - [F,L]

# Rewrite domain.com -> www.domain.com -- used with SEO Strict URLs plugin
#RewriteCond %{HTTP_HOST} .
#RewriteCond %{HTTP_HOST} !^example\.com [NC]
#RewriteRule (.*) http://example.com/$1 [R=301,L]

# Exclude /assets and /manager directories from rewrite rules
RewriteRule ^(manager|assets) - [L]

# For Friendly URLs
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]

# Reduce server overhead by enabling output compression if supported.
#php_flag zlib.output_compression On
#php_value zlib.output_compression_level 5

galahad3 · 09-18-2009, 10:10 AM

Is there is anything in the .htaccess that needs to be changed?

I just don't see how the script works fine but only if it's just been saved!