Strange php behavior

Question

I was busy on my website doing URL rewrites when suddenly something happened from which I really don't know how it happened or how this is possible and how to maybe prohibit this from happening, probably some little mistake in the URL rewrite rule where I try to force the www in front of the address but when I remove the www. and press enter it comes up with an address which he can't find cause he doesn't put a / behind the .nl

somehow a extra index.php got fixed in between and what happens that in this way the whole website can be seen without any CSS markup...

it is reproducible, just fit the extra index.php in between like the example and the whole website can be seen and surfed without any markup from the CSS file

[http://www.capoeiravelsen.nl/index.php/index.php?page=home]

what is actually happening here ? why isn't it reading the CSS file in this way. of course users are not just gonna fix the extra index.php in between but does this presents a sort of security breach or bug or whatever....

[EDIT]

yeah it sounds logic that it can't fetch the CSS cause it looking in a different directory or something, still don't know how it still can fetch all the other docs then since a folder named index.php doesn't exist in any way.

it happened with this rewrite rule:

 RewriteCond %{HTTP_HOST} !^www\.         [NC]
 RewriteCond %{HTTP_HOST} (.*)
 RewriteRule (.*)         http://www.%1$1 [R=301,L]

where I forced the www in the address, but when a some random crazy user would want to delete the www. and pressed enter the weird effect occurs.

the request would then change to: [http://www.capoeiravelsen.nlindex.php/?page=home] where the browser says it can't find that page of course

not noticing the / in between .php and ? I put a / in between .nl and index.php so it would become [http://www.capoeiravelsen.nl/index.php/?page=home] and pressed enter

then the whole address changed to: [http://www.capoeiravelsen.nl/index.php/index.php?page=home]

where browsing the site is possible but without markup...

I solved this issue by changing the rewrite rule to:

 RewriteCond %{HTTP_HOST} !^www\.
 RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]

when some random user would delete the www. and pressed enter nothing crazy happens the www. just gets forced again

Answer 1

I don't know about your rewriting rules since you haven't posted them, but the problem with missing CSS is because you're linking the stylesheet and other files in your HTML with relative paths, i.e.:

<link href="inc/stylesheet.css" rel="stylesheet" type="text/css">

Since your URL is http://www.capoeiravelsen.nl/index.php/index.php?page=home that makes the browser request a file located under http://www.capoeiravelsen.nl/index.php/inc/stylesheet.css, which, of course, doesn't exist on the server.

One solution is to change all paths in your HTML to absolute, i.e.:

<link href="http://www.capoeiravelsen.nl/inc/stylesheet.css" rel="stylesheet" type="text/css">

Answer 2

You are linking the CSS relatively

<link href="inc/stylesheet.css" rel="stylesheet" type="text/css">

When you are accessing /index.php/index.php?page=home the browser look for the CSS file in

/index.php/inc/stylesheet.css

The Solution is :

1. Fix the rewrite so it won't allow using "/" after the php file (this way the OS looks for folder named "index.php"
2. link the CSS file absolutly: i.e:

[link href="/inc/stylesheet.css" rel="stylesheet" type="text/css" />

(replace the [ with < :) )

Hope it helps

Answer 3

It will try to fetch the CSS files from the directory /index.php/ on your web server and not / as expected. It is not a security breach