Some days back I published an article about SQL Injection. In this article very small discussion about .htaccess file. After lots of requests I publish this article to add more security to your php application using .htaccess file.
In this tutorial I want to explain about hiding .php extensions and URL rewriting. So improve your Web projects security and quality.
Making .htaccess file
Very simple open any editor like notepad just file save as into .htaccess with in double quotations(".htacess"). You have to upload this file in to hosting root folder, my experience .htaccess file supports only Unix based servers.
Download Sample .htaccess FileHide .php extension with URL Rewriting
For example if we want to project like Twitter API URLs (Note: Twitter API Developed in Ruby on Rails)
Add this following code in your .htaccess file
RewriteEngine on
RewriteRule ^(.*)\$ $1.php
RewriteRule ^(.*)\$ $1.php
We can Rewrite index.php into index.html,index.asp,index.sri also
Below code for index.php to index.html
RewriteEngine on
RewriteRule ^(.*)\.html$ $1.php
If you want .asp extension just replace html to aspRewriteRule ^(.*)\.html$ $1.php
Redirecting www URL to non www URL
If you type www.twitter.com in browser it will be redirected to twitter.com.
Add this Following Code:
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www.srinivas.com
RewriteRule (.*) http://srinivas.com/$1 [R=301,L]
RewriteCond %{HTTP_HOST} ^www.srinivas.com
RewriteRule (.*) http://srinivas.com/$1 [R=301,L]
Rewriting 'site.com/profile.php?username=foxscan' to 'site.com/foxscan'
My twitter profile http://twitter.com/foxscan its original link passing GET values (http://twitter.com/profile.php?username=foxscan) but this URL is ugly in browser address bar, For user friendly we can change like this.
RewriteEngine On
RewriteRule ^([a-zA-Z0-9_-]+)$ profile.php?username=$1
RewriteRule ^([a-zA-Z0-9_-]+)/$ profile.php?username=$1
RewriteRule ^([a-zA-Z0-9_-]+)$ profile.php?username=$1
RewriteRule ^([a-zA-Z0-9_-]+)/$ profile.php?username=$1
Download Sample .htaccess FileIf any suggestions post a Comment.
Good but you should put it in to the apacheconf for speed the .htaccess gets read each request and must be parsed each time.
I am curious how this method improves security? It makes for a cleaner application, but does not make your application any safer.
I suppose in some ways masking what file extension you're using, thereby masking what language you're using, helps to throw would-be attackers off your tracks. I agree though, these are just general tips and tricks. A good read for sure, but not a lot to do with security.
How about adding
php_flag register_globals 0
php_flag allow_url_fopen 0
to improve security.
Anymore along these lines?
Nice Article on .htaccess usage. It is really helpful to make your site cleaner but there is nothing for security. Anyway Thanks
Friend,
u gave a nice explanation, but my prob is that my server returns error 500 when I'm using this .htaccess. What could be the reason..do i want to save my .php files to .asp when im using rewriting
@studyphotoshopinmalayalam
500 internal server It's not your fault. If u upload or delete .htaccess or any server files more times 5 times this 500 page will appear.
Solution : Immediately take back-up and delete all the files in server (no subfolders in htdocs) and freshly upload.
Good tutorial Srinivas.
@ Wim
Thank You
Its a good tutorial.. using this i could make my url as http://ssss.com/japan
but can you please tell me how to pass 2 parameters like http://ssss.com/japan/tokio
@ram :
RewriteRule ^japan/?([a-zA-Z0-9]+)?/?([0-9]+)?/?$ /japan.php?adid=$1&pid=$2
@Kristoffer Nilsen
Thank You. It's helpful.
Great Post....ill try it out. today...
Very nice post !!
Can I do something like:
http://someHost:8888/someApp?param1=1¶m2=2
to
http://someOtherHost/someOtherApp?param1=1¶m2=2
I tried your tutorial in many way, but no luck I could not pass it through. Still having problem with the pretty url. Can you help me out this below url to clean url please.
http://freedomoclock.org/movies.php?cat=Animation
like --> http://freedomoclock.org/Animation/
thank so much Srinivas, youre so kind :)
thank you very much !