A quick note on a htaccess rewrite rule I'm liking.

What does it do?
What I type:

Sends this to server:
Options -Indexes +FollowSymlinks
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI}  !index.php
RewriteCond %{REQUEST_URI} ^/([^\.]+)\/([\w]+).html  [NC]
RewriteRule .*    index.php?myFolder=%1&myFiles=%2    [L]

ErrorDocument 400 /error/?v=400
ErrorDocument 401 /error/?v=401
ErrorDocument 403 /error/?v=403
ErrorDocument 404 /error/?v=404
ErrorDocument 500 /error/?v=500

Additional Notes
If you do apply the above to your site, bear in mind the following is also true:

Anything not ending in ".html" will simply return a 404 error. I've included my error rules (they basically redirect to a branded error page).

So I sanitize on the receiving index.php file:
  1. Check for possible Code Injection
  2. Do NOT allow the use of apostrophe or double-quotes, convert these to a numerical representation only if you need to convert them back later (eg. 034, 039).
  3. Do NOT allow any punctuation you don't use in your site structure. Slashes and underscores /_ are good (so regexp: /[^a-zA-Z0-9_\/]/). If you allow percents (%) or apostrophes (*) then you are asking for trouble.
  4. Note my redirect for errors.
  5. Split the first string "myFolder" with the slash (/) as a delimiter, controlling the syntax/format of your site URLs.
For Example

// sends

Which, hopefully, the PHP file will handle as:
var $site_structure_string = $_GET['myFolder'];
$site_structure_string = preg_replace('/[^a-zA-Z0-9_\\/]/', '', $site_structure_string);
var $site_structure_item = $_GET['myFiles'];
var $site_structure_array = explode('/', $site_structure_string);

// yields
$site_structure_array[0] = 'blog'
$site_structure_array[1] = 'videos'
$site_structure_array[2] = '2010'
$site_structure_array[3] = 'january'
$site_structure_item = '21'
And don't forget to redirect the user to an error page or back to the home page if something is amiss.

Oh and the above does NOT allow:
If you want this, I think the rewrite rule is:
RewriteCond %{REQUEST_URI} ^/([\w]+).html  [NC]
But, er, I like that first check (myFolder) that the submitted URL matches the format of your site (and a lot more opportunity to check for malicious code).

Add comment