custom 404 error page within a very simple custom PHP framework

Question

I redirect all requests to my index.php with the code below:

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]

I couldn't learn OOP however I created a very simple and working custom framework to manage url requests from visitors. Logic is

if ( Is site under maintenance? )
{  
    display "under maintenance page" if answer is true;
}

else if ( if page exist physically or I know that url has a valid content )
{  
    display related content;
}

else
{
    display custom404.php
}

I know .htaccess can be used for custom 404 page aim but I ask to learn. I also made a search in here and google but couldn't find a related article. Here are my 3 questions.

regards

Q-1

Is this approach means that "there will be no real 404 error page"? (sorry for real term but hope you understood. I couldn't find a better term.)

Q-2

Is this approach has something unfavorable with search engine bots?

Q-3

Is this approach has something unfavorable that MUST be known? ( my opinion is no but I am very far away from being an expert. )

Answer 1

Q1: It's good solution. You should also return 404 header if you want and display the page with content you want:

<?php
header("HTTP/1.0 404 Not Found");
// here you display content you want

Q2: No, it doesn't. Of course if for any reasons you change structure of your site and many links direct to unexisting pages you should consider for them making 301 redirections to correct pages instead of displaying 404 page (it's good for users and search engines)

Q3: No, it doesn't

Answer 2

That should work, but for Q-2 you should include a 404 header ( header("HTTP/1.0 404 Not Found"); ) so that search engines knows that the page doesn't exist, and they won't crawl deeper into that URL.

Q-1, since your .htaccess masks all requests to index.php there would be no server constructed 404 page, that's why you need the 404 header on your custom 404 page.

Q-3 i don't see any problems with doing this :)

Answer 3

I'm with Caweren and Marcin, the only thing that I want to add is a security consideration: With this approach you should be very carefull in the way you check "if page exists physically" and with "load related content before", let me explain: If you use a file_get_contents to check and retreive the content, an attacker could do a

index.php?q=http://mr_bean_photo

And he will get a defacement of your website. This can also be used to submit pools from other websites, or like a proxy to bruteforce a 3rd website login:

index.php?q=http://anotherwebsite.com/login.php?user=admin&password=admin

Then the request to that 3rd page will be made from your webserver, so be carefull with that.

If you check the content via fopen or something like that, be sure that a local file system cannot be included like this:

index.php?q=/etc/passwd

This also can be used to retreive a private certificate key, so be carefull with this too.

Of course the attacker should know that you're redirecting to index.php?q=, but there are a lot of applications that can find that (and of course is a common use).