A quick note on a htaccess rewrite rule I'm liking.
What does it do?
What I type: Sends this to server:
copyraw
How?http://www.mywebsite.com/index.php?myFolder=blog&myFiles=videos
- http://www.mywebsite.com/index.php?myFolder=blog&myFiles=videos
copyraw
Options -Indexes +FollowSymlinks
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} !index.php
RewriteCond %{REQUEST_URI} ^/([^\.]+)\/([\w]+).html [NC]
RewriteRule .* index.php?myFolder=%1&myFiles=%2 [L]
ErrorDocument 400 /error/?v=400
ErrorDocument 401 /error/?v=401
ErrorDocument 403 /error/?v=403
ErrorDocument 404 /error/?v=404
ErrorDocument 500 /error/?v=500
- Options -Indexes +FollowSymlinks
- RewriteEngine On
- RewriteBase /
- RewriteCond %{REQUEST_URI} !index.php
- RewriteCond %{REQUEST_URI} ^/([^\.]+)\/([\w]+).html [NC]
- RewriteRule .* index.php?myFolder=%1&myFiles=%2 [L]
- ErrorDocument 400 /error/?v=400
- ErrorDocument 401 /error/?v=401
- ErrorDocument 403 /error/?v=403
- ErrorDocument 404 /error/?v=404
- ErrorDocument 500 /error/?v=500
Additional Notes
If you do apply the above to your site, bear in mind the following is also true:
copyraw
Anything not ending in ".html" will simply return a 404 error. I've included my error rules (they basically redirect to a branded error page).http://www.mysite.com/blog/pretty_much_anything_i_want_to_type_here.html --yields http://www.mysite.com/index.php?myFolder=blog&myFiles=pretty_much_anything_i_want_to_type_here.html
- http://www.mysite.com/blog/pretty_much_anything_i_want_to_type_here.html
- --yields
- http://www.mysite.com/index.php?myFolder=blog&myFiles=pretty_much_anything_i_want_to_type_here.html
So I sanitize on the receiving index.php file:
- Check for possible Code Injection
- Do NOT allow the use of apostrophe or double-quotes, convert these to a numerical representation only if you need to convert them back later (eg. 034, 039).
- Do NOT allow any punctuation you don't use in your site structure. Slashes and underscores /_ are good (so regexp: /[^a-zA-Z0-9_\/]/). If you allow percents (%) or apostrophes (*) then you are asking for trouble.
- Note my redirect for errors.
- Split the first string "myFolder" with the slash (/) as a delimiter, controlling the syntax/format of your site URLs.
copyraw
Which, hopefully, the PHP file will handle as:
http://www.mysite.com/blog/videos/2010/january/21.html // sends index.php?myFolder=blog/videos/2010/january&myFiles=21
- http://www.mysite.com/blog/videos/2010/january/21.html
- // sends
- index.php?myFolder=blog/videos/2010/january&myFiles=21
copyraw
And don't forget to redirect the user to an error page or back to the home page if something is amiss.var $site_structure_string = $_GET['myFolder'];
$site_structure_string = preg_replace('/[^a-zA-Z0-9_\\/]/', '', $site_structure_string);
var $site_structure_item = $_GET['myFiles'];
var $site_structure_array = explode('/', $site_structure_string);
// yields
$site_structure_array[0] = 'blog'
$site_structure_array[1] = 'videos'
$site_structure_array[2] = '2010'
$site_structure_array[3] = 'january'
$site_structure_item = '21'
- var $site_structure_string = $_GET['myFolder'];
- $site_structure_string = preg_replace('/[^a-zA-Z0-9_\\/]/', '', $site_structure_string);
- var $site_structure_item = $_GET['myFiles'];
- var $site_structure_array = explode('/', $site_structure_string);
- // yields
- $site_structure_array[0] = 'blog'
- $site_structure_array[1] = 'videos'
- $site_structure_array[2] = '2010'
- $site_structure_array[3] = 'january'
- $site_structure_item = '21'
Oh and the above does NOT allow: If you want this, I think the rewrite rule is:
copyraw
But, er, I like that first check (myFolder) that the submitted URL matches the format of your site (and a lot more opportunity to check for malicious code).RewriteCond %{REQUEST_URI} ^/([\w]+).html [NC]
- RewriteCond %{REQUEST_URI} ^/([\w]+).html [NC]
Category: Personal Home Page :: Article: 520
