There still remains the question of what is meant by "it works"...
The sanitizer as I see it at least in this regards, identifies that if the products_id is amiss by someone (not something) navigating the site, then perhaps there is something else that is amiss and therefore it recreates the path that is the next destination in a way that ignores whatever was previously provided. Ie. It sanitizes the content. Afterall, what site would itself display a link to a product that is on the site but isn't an existing product? Little mobius strip there... that's one of the things about maintaining security is identifying where things could be wrong and take an action that is appropriate.
If anything it seems to me that the 302 followed by 404 for someone that is not a recognized search engine or a bot is more of a misunderstood condition than anything. Why is it a goal to remove the 302 I wonder. It's considered a temporary redirect and in this case the result is a 404 page. Okay, so what say you that the last products_id in the store is 180. Now someone tries 181. Nothing there. So should there be a 301 instead? Oops, now products_id 181 is added, but that's a non-existent product from the previous permanent redirection, so what's going on? Is it really a permanent redirect or is it something that should be temporary?
So regarding the line that carlwhat suggested commenting out, if there still was a true need to prevent a valid visitor (session being started) from receiving a 302 and instead some other status code, then I would actually modify that line to have it provide the desired end status code of choice for a product not existing in the catalog. The modification merely would only require adding a comma and the status code just before the last right parenthesis of that line. I still don't see the value in concerning oneself with the response code seen by such a valid visitor/user.
I expect that as a visitor being issued a session that commenting out the above code will prevent the 302 from being issued, but it also removes any sanitization offered by that line moving forward. So I would suggest if you only want a 404 to be issued to anyone/everyone and everything that visits the site using an invalid/unknown products_id then to change the line to:
Code:
zen_redirect(zen_href_link($_GET['main_page'], p'products_id=' . $_GET['products_id']), '404');
it will cause two 404s to be issued to those for which it doesn't matter either way, but at least no 302 and no indicator that it is permanently gone.
Bookmarks