How to create a custom error page whenever an unexpected event occurs on a site with php?

Question

I am developing with PHP on an Apache web server. I would like to know if there's a way to force the server to serve a custom error page whenever any of the following events occurs:

• The page the user is looking for does not exist (I would like to serve the custom error page instead of the classic '404 Not Found');
• The user changed the value of the value='' attribute of an or the value of a name='' attribute and then send the form with wrong values (for example I have an where the value attribute represents the id of a product that is going to be purchased or an univocal row in a database that is going to be cancelled. I want to prevent ambiguous behaviour e.g. when the user changes the value attribute from the 'inspect element' browser's tool, and then submits a form;
• The user changed the ?query_string=value and then clicked on a link or submitted a form with action attribute set to "page.php?query_string=value".

So whenever any of these ambiguous events occur (I know it may seem stupid for a user to change the value of attributes of the input elements when purchasing something, but who knows) I would like to throw a page like the one on facebook with the broken finger when for example you try to visit https://www.facebook.com/hello.php.

How can I achieve that? Do I need to configure something or I can do it directly with PHP?

Thanks in regards!

Answer 1

What you could do is redirect a person based on the page he visits. A lot of frameworks have build-in route validation for that. Take for example: http://symfony.com/doc/master/book/routing.html

If a route does not match, it will display the framework's 404 page. You can't really send them to that page based on user input, what you rather have is (in case of forms) validate and display an error if it goes wrong. Symfony2 (in this case) also provides CSRF tokens to prevent XSS for example. http://symfony.com/doc/current/book/forms.html

This is pretty much all programming you need to do to secure your website and validate the user input. NEVER trust what the user sends to you, that includes $_SERVER variables ;)