mod_rewrite / url / security

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
psurrena
Forum Contributor
Posts: 355
Joined: Thu Nov 10, 2005 12:31 pm
Location: Broolyn, NY

mod_rewrite / url / security

Post by psurrena »

Couple Questions:
1) If I'm using mod_rewrite, I can no longer use relative links, right?
2) Is this the best method for hard links:

Code: Select all

$_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF'])
3) Does this pose any security issues?
User avatar
aaronhall
DevNet Resident
Posts: 1040
Joined: Tue Aug 13, 2002 5:10 pm
Location: Back in Phoenix, missing the microbrews
Contact:

Post by aaronhall »

There's no problem in using relative links; mod_rewrite is completely transparent to the browser. Make sure that <base>'s href attribute is constant throughout your templates.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

If I'm using mod_rewrite, I can no longer use relative links, right?
You can... but if mod_rewrite simulating folders they're a bit trickier and for practical purposes most people make them absolute by prepending the full web root path.
Is this the best method for hard links:
It's buggy, since you're missing the HTTP scheme. (URLs will look like http://www.example.com/folder/stuff and will be resolved relatively). dirname($_SERVER['PHP_SELF']) works reasonably well.

I would, however, recommended that paths to web roots are hard-coded into the configuration. This is the approach that 99% of PHP software takes.
Does this pose any security issues?
Slightly. PHP_SELF can be abused into containing XSS-able characters, so make sure you always escape output using htmlentities()
User avatar
psurrena
Forum Contributor
Posts: 355
Joined: Thu Nov 10, 2005 12:31 pm
Location: Broolyn, NY

Post by psurrena »

Thanks for the great responses. In reference to:
I would, however, recommended that paths to web roots are hard-coded into the configuration. This is the approach that 99% of PHP software takes.
Would you suggest building a config file and setting a, for example, $URL variable?
Post Reply