PHP, MySQL: Security concern; Page loads in a weird way

I am testing the security of my website. I am using the following URL to load a PHP page in my website, on localhost:

http://localhost/domain/user/index.php/apple.php

When I do this, the page is not loading normally; Instead the images, icons used in the page simply vanish/disappear from the page. Only text appears. And also on any link I click on this page, it brings me to this same page again without navigating to the required page. So if I have hyperlinks to other pages, such as "SEARCH", which points to search.php, instead of navigating to the search.php page, it refreshes the index.php page and just appends the page name of the destination page to the end of the URL.

For example, say I used the link above. It then loads the index.php page minus the images at it's will. When I click on the "Search" link to navigate to the search page, I see the following in the URL:

http://localhost/domain/user/index.php/search.php

I have a redirection configured to a 404 error page in my .htaccess file, but the page does not redirect to the 404 error page. Notice the search.php towards the end of the URL above. Any other link that I click, reloads the index.php page and just appends the destination page name to the end of the URL like I have shown above.

I was expecting to see a 404 Error but that does not happen. The URL should not even be able to load the page because I do NOT have a "index.php" folder in my website.

What can I do to solve this? All help is appreciated.

Update:

The security concern is that users being able to see a non-existing page (which is quite misleading) like http://localhost/domain/user/index.php/apple.php especially when it does not exists. This makes me feel that this is going to open doors for hackers to exploit the website and compromise its integrity. Can this happen in such a case? I want users to see a 404 error page and any I am willing to any change needed in .htaccess file to accommodate this.

Can you suggest me of some code that I can add to my .htaccess file to accomplish this?

Thank you.

EDIT1:

Here are the contents of my .htaccess files. I have 2 of them. One in domain root and the other in 'user' folder/directory.

/*.htaccess in domain root*/
ErrorDocument 404 /domain/404.php

/*.htaccess in user folder*/
ErrorDocument 404 /domain/user/404.php

开发者_StackOverflow中文版EDIT2:

@Pekka Thanks for the link. I added the following code in the .htaccess file (within the user directory)

<Files "mypaths.php">
Options +Includes
SetOutputFilter INCLUDES
AcceptPathInfo Off
</Files>

But still this does not show me the 404 page. Sorry, I am very novice with the .htaccess. Hope you will be able to tell me what I am wrong. Thanks.

The behaviour of why this loads a page:

http://localhost/domain/user/index.php/apple.php

is easily explained. The request is passed to index.php, with apple.php being in the $_SERVER["PATH_INFO"] variable.

So you are in the /user directory as far as the server and the PHP script are concerned.

This is also why no 404 turns up: index.php is always found, no matter which file you specify as the last file.

The browser, however, interprets index.php not as a file, but as the parent directory of apple.php.

Therefore, every relative link you put on the page, say to contact.php is fetched like this:

 http://localhost/domain/user/index.php/contact.php

which obviously won't work.

What you may want to do is use absolute paths in images and links, but either way, this is of no concern to security whatsoever.

As a side note, this whole phenomenon is sometimes used to create search engine friendly URLs without having to use mod_rewrite module.

You can turn this behaviour off using the AcceptPathInfo directive.

As for the images, you just have to learn to use absolute paths to your images, which is absolutely necessary

Just instead of images/head.jpg write /images/head.jpg and you will have all your images and styles in place.

As for the /user/index.php/apple.php - why do you want such an odd address?
Why not to use just user/apple.php?

And where is security in your question?