Page 1 of 1
mod_rewrite / url / security
Posted: Tue Jun 12, 2007 1:43 pm
by psurrena
Couple Questions:
1) If I'm using mod_rewrite, I can no longer use relative links, right?
2) Is this the best method for hard links:
Code: Select all
$_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF'])
3) Does this pose any security issues?
Posted: Tue Jun 12, 2007 5:29 pm
by aaronhall
There's no problem in using relative links; mod_rewrite is completely transparent to the browser. Make sure that <base>'s href attribute is constant throughout your templates.
Posted: Tue Jun 12, 2007 6:59 pm
by Ambush Commander
If I'm using mod_rewrite, I can no longer use relative links, right?
You can... but if mod_rewrite simulating folders they're a bit trickier and for practical purposes most people make them absolute by prepending the full web root path.
Is this the best method for hard links:
It's buggy, since you're missing the HTTP scheme. (URLs will look like
http://www.example.com/folder/stuff and will be resolved relatively). dirname($_SERVER['PHP_SELF']) works reasonably well.
I would, however, recommended that paths to web roots are hard-coded into the configuration. This is the approach that 99% of PHP software takes.
Does this pose any security issues?
Slightly. PHP_SELF can be abused into containing XSS-able characters, so make sure you always escape output using htmlentities()
Posted: Tue Jun 12, 2007 11:40 pm
by psurrena
Thanks for the great responses. In reference to:
I would, however, recommended that paths to web roots are hard-coded into the configuration. This is the approach that 99% of PHP software takes.
Would you suggest building a config file and setting a, for example, $URL variable?