Search code examples
apache.htaccesshttp-redirectmod-rewritehttp-status-code-404

How to show error 404 if someone mess with the URL DIrectory

htaccess and database conneciton pretty successfully

if someone typed www.example.com/dsadsada it showed an error page
if someone typed www.example.com/news/dsadsa it's also showed an error page
but when someone typed www.example.com/news/besthotelinthearea2019/dsadsadsadsa it doesn't showed an error page, it still displaying the best hotel in the area 2019 news but with no css, how can redirect it to 404 error ? Thank you very much

and this is currently the code that is on my .htaccess

    RewriteEngine on

    ErrorDocument 404 /error.php
    ErrorDocument 300 /error.php

    RewriteRule ^index.html$ / [R=301,L]
    RewriteRule ^(.*)/index.html$ /$1/ [R=301,L]

    RewriteCond %{THE_REQUEST} ^.*/index\.php 
    RewriteRule ^(.*)index.php$ /$1 [R=301,L] 

    RewriteCond %{HTTPS} off [OR]
    RewriteCond %{HTTP_HOST} ^example\.com [NC]
    RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L]

    RewriteRule ^news/([0-9a-zA-Z_-]+) news.php?url=$1 [NC,L]

    RewriteRule ^sectioncategory/([0-9a-zA-Z_-]+) sectioncategory.php?category=$1 [NC,L]
Solution 
  • RewriteRule ^news/([0-9a-zA-Z_-]+) news.php?url=$1 [NC,L]

    Because this rule/regex only grabs the part of the URL upto the second slash and discards the rest (potentially causing a duplicate content issue and opening your site up to abuse). eg. When you request /news/besthotelinthearea2019/dsadsadsadsa it is rewriting the request to news.php?url=besthotelinthearea2019 (the /dsadsadsadsa part is effectively ignored). The same as if you had requested /news/besthotelinthearea2019.

    Add an end-of-string anchor ($) to the regex so it only matches /news/besthotelinthearea2019 and not /news/besthotelinthearea2019/<anything>.

    For example:

    RewriteRule ^news/([0-9a-zA-Z_-]+)$ news.php?url=$1 [NC,L]

    The same "problem" applies to your last rule (ie. "sectioncategory") as well.

    NB: The NC flag should be unnecessary here (unless news can be requested with mixed case - not advisable) and the character class can be simplified. For example, the above is equivalent to:

    RewriteRule ^news/([\w-]+)$ news.php?url=$1 [L]

    The shorthand character class \w is the same as [0-9a-zA-Z_].

    Aside:

    if someone typed www.example.com/news/dsadsa it's also showed an error page

    In this case, the "error page" must be generated by your script (news.php), not Apache.

    (Whereas the URL in the first part of this answer will now trigger the Apache ErrorDocument, since it does not match your rule.)