matt.farey at gmail
Jul 23, 2008, 5:54 PM
Post #3 of 3
(256 views)
Permalink
|
if the "header file is read in by php" means that it is an include,
that doesnt matter
it is the form of the URL that the user_agent requests that matters
so say the user_agent requests index.php, then that php file includes
header.html
and that the resulting HTML is something like
<link type="text/css".... href="/styles/stuff.css" />
<script type"=text/javascript" ... href="/scripts/stuff.js"></script>
the user_agent will make a GET request to the server of
http://2ndlevel.example.com/styles/stuff.css
http://2ndlevel.example.com/scripts/stuff.css
which will be picked up by your rewrite rule and will become
http://2ndlevel.example.com/index.php?st=styles&sc=stuff.css
so either your index.php must know how to send the appropriate
content-type header (and other headers: caching, etag, etc...)
or you must adjust the conditions under which the rewrite rule will
fire to prevent such content from being handled by your script.
Usually you only want to redirect non-existent-directories and
non-existent-files to your index,php handler, so you can do this using
Options +FollowSymlinks
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^([^/]+)/([^/]+) /index.php?st=$1&sc=$2 [NC]
or by adjusting your regular expression to be more specific, either to
only include certain URLs, or to exclude certain URLs, the choice is
yours, but at present your ([^/]+) is insufficent, as it only looks at
structure of the URL, not whether the specific resource should be
passed via the script, so for instance it would redirect
http://2ndlevel.example.com/blah/'%20OR1=1
to
http://2ndlevel.example.com/index.php?st=blah&sc='%20OR1=1
which might not be what you are expecting.
I would certainlu concentrate on whitelisting in your URL rewriterule,
being quite specific (more specific than just checking for
nonexistence) and then be double sure your php file only handles
legitimate types of request, because now you are shortcircuiting some
of the hard won apache handling with your own code.
you could for instance do
Options +FollowSymlinks
RewriteEngine on
RewriteRule ^([^/]+)/\.(css|html?|js)$ /index.php?st=$1&sc=.$2 [NC]
which still requires filtering but only acts on URLs that end with
certain file extensions.
Hope that helps.
On Wed, Jul 23, 2008 at 10:48 PM, Skip Evans <skip[at]bigskypenguin.com> wrote:
> Hey all,
>
> I'm new to the list and am having some issues with a RewriteRule I've
> applied in an .htaccess file. Or perhaps not the rule, but with using
> .htaccess in general.
>
> What I wanted to do was allow users to enter a URL like the following:
>
> http://varsitybeat.com/wi/madison
>
> and then have my PHP/MySQL application receive this URL in the index.php
> file, and then get the wi and madison values from the $_GET array.
>
> To do this I have the following in the .htaccess file.
>
> Options +FollowSymlinks
> RewriteEngine on
> RewriteRule ^([^/]+)/([^/]+) /index.php?st=$1&sc=$2 [NC]
>
> And this is successful in accomplishing the goal.
>
> In the index.php file I can use
>
> $_GET['st'] to get 'wi', and $_GET['sc'] to get madison, if someone enters
> the URL
>
> http://varsitybeat.com/wi/madison
>
> into their browser. The problem I have now, though, and that really
> surprises me, is that if this .htaccess file is in place, the application no
> longer picks up its style.css (cascading style sheet), or the JavaScript
> AJAX files, which are included in a header.html file that index.php reads
> in.
>
> How exactly the style sheet and JS files are read in is not anything
> unusual, just the regular syntax in the <head> section of an html file.
>
> But the main point is that when the .htaccess file is in place, they are not
> accessed, and when it is not they are.
>
> Can anyone direct me where to begin researching this kind of issue? I'm at a
> bit of a loss where to begin.
>
> Thanks!
>
> --
> Skip Evans
> Big Sky Penguin, LLC
> 503 S Baldwin St, #1
> Madison, WI 53703
> 608-250-2720
> http://bigskypenguin.com
> =-=-=-=-=-=-=-=-=-=
> Check out PHPenguin, a lightweight and versatile
> PHP/MySQL, AJAX & DHTML development framework.
> http://phpenguin.bigskypenguin.com/
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe[at]httpd.apache.org
> " from the digest: users-digest-unsubscribe[at]httpd.apache.org
> For additional commands, e-mail: users-help[at]httpd.apache.org
>
>
--
Matthew Farey
w: +44(0)208 4200200 (ext 2181)
bb: +44(0)7500802481
m: +44(0)7773465550
(sms to my laptop): +44(0)7917368497
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe[at]httpd.apache.org
" from the digest: users-digest-unsubscribe[at]httpd.apache.org
For additional commands, e-mail: users-help[at]httpd.apache.org
|
