Code: Select all
#1 Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
#2 Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
#3 Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
#4 Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
#5 Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
#6 Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
1. Is that really nessecary? Isn't this better handled by disabling this feature in php.ini
3. I like this one...very clever I think
4. Isn't this doing the same things as #1?
5. Same as above?
6. Isn't it forwarding the request to index.php?
I'd like the opinion of someone more .htaccess savvy than myself to go over this quickly and agree, disagree and hopefully explain why.
Cheers,
Alex