Wall Script
Follow Me:
Tuesday, January 13, 2009

Add Security to your PHP projects using .htaccess file

Some days back I published an article about SQL Injection. In this article very small discussion about .htaccess file. After lots of requests I publish this article to add more security to your php application using .htaccess file.

In this tutorial I want to explain about hiding .php extensions and URL rewriting. So improve your Web projects security and quality.

Making .htaccess file

Very simple open any editor like notepad just file save as into .htaccess with in double quotations(".htacess"). You have to upload this file in to hosting root folder, my experience .htaccess file supports only Unix based servers.

Download Sample .htaccess File

Hide .php extension with URL Rewriting

For example if we want to project like Twitter API URLs (Note: Twitter API Developed in Ruby on Rails)

Add this following code in your .htaccess file
RewriteEngine on

RewriteRule ^(.*)\$ $1.php

We can Rewrite index.php into index.html,index.asp,index.sri also

Below code for index.php to index.html
RewriteEngine on

RewriteRule ^(.*)\.html$ $1.php
If you want .asp extension just replace html to asp

Redirecting www URL to non www URL

If you type www.twitter.com in browser it will be redirected to twitter.com.

Add this Following Code:
RewriteEngine On

RewriteCond %{HTTP_HOST} ^www.srinivas.com

RewriteRule (.*) http://srinivas.com/$1 [R=301,L]

Rewriting 'site.com/profile.php?username=foxscan' to 'site.com/foxscan'

My twitter profile http://twitter.com/foxscan its original link passing GET values (http://twitter.com/profile.php?username=foxscan) but this URL is ugly in browser address bar, For user friendly we can change like this.

If you want change like this see the below code
RewriteEngine On

RewriteRule ^([a-zA-Z0-9_-]+)$ profile.php?username=$1

RewriteRule ^([a-zA-Z0-9_-]+)/$ profile.php?username=$1

Download Sample .htaccess File

If any suggestions post a Comment.

Ryan McGovern said...

Good but you should put it in to the apacheconf for speed the .htaccess gets read each request and must be parsed each time.

Robert van der Linde said...

I am curious how this method improves security? It makes for a cleaner application, but does not make your application any safer.

Rocky1138 said...

I suppose in some ways masking what file extension you're using, thereby masking what language you're using, helps to throw would-be attackers off your tracks. I agree though, these are just general tips and tricks. A good read for sure, but not a lot to do with security.

Timothy Takemoto said...

How about adding
php_flag register_globals 0
php_flag allow_url_fopen 0
to improve security.

Anymore along these lines?

Rahul said...

Nice Article on .htaccess usage. It is really helpful to make your site cleaner but there is nothing for security. Anyway Thanks

studyphotoshopinmalayalam said...


u gave a nice explanation, but my prob is that my server returns error 500 when I'm using this .htaccess. What could be the reason..do i want to save my .php files to .asp when im using rewriting

Srinivas Tamada said...


500 internal server It's not your fault. If u upload or delete .htaccess or any server files more times 5 times this 500 page will appear.

Solution : Immediately take back-up and delete all the files in server (no subfolders in htdocs) and freshly upload.

Wim said...

Good tutorial Srinivas.

Srinivas Tamada said...

@ Wim

Thank You

ram said...

Its a good tutorial.. using this i could make my url as http://ssss.com/japan

but can you please tell me how to pass 2 parameters like http://ssss.com/japan/tokio

Kristoffer Nilsen said...

@ram :

RewriteRule ^japan/?([a-zA-Z0-9]+)?/?([0-9]+)?/?$ /japan.php?adid=$1&pid=$2

Srinivas Tamada said...

@Kristoffer Nilsen

Thank You. It's helpful.

Ibrahim Azhar said...

Great Post....ill try it out. today...

GSingh said...

Very nice post !!

Can I do something like:



Anonymous said...

I tried your tutorial in many way, but no luck I could not pass it through. Still having problem with the pretty url. Can you help me out this below url to clean url please.


like --> http://freedomoclock.org/Animation/

Israel said...

thank so much Srinivas, youre so kind :)

Adrian said...

thank you very much !

Khan said...

dont need using rewrite to change the extension of php or any extension to other ext.
Just use this.
AddType application/x-httpd-php .whateveryouwant

Anonymous said...

I use such type of file extensions like index.php , admissions.php etc on the server. But i want to display in url as index/ and admissions/ etc. And when user type index.php then error comes page not found.
Plz give reply as soon as possible.

Supun Praneeth said...

Hey sirinivas,

if there is folder calld "image" in my main folder how i use this?

this is my image folder

if i create username called "image" how i ignore image folder?Hey sirinivas,

if there is folder calld "image" in my main folder how i use this?

this is my image folder

if i create username called "image" how i ignore image folder?

Srinivas Tamada said...


You have to restrict some words like "image","help","blog","admin".... while user registration. For admin use

Anonymous said...

i m using win-XP with zend server ... htaccess doesnt work ... what to do .. i test it on localhost....

Anonymous said...

Love this tutorial heaped me a lot :)

vijay sinh parmar said...

Hi Anonymous..!!!
RewriteEngine On
RewriteRule ^([^_]*)$ /movies.php?cat=$1 [L]

Naren falcao said...

awesome tut :):) i'm benefitted :)

Anonymous said...

Nice ! Fantastic...

Arun kumar said...

hi srinivas,

how to pass the url like test.php?id=1000 in get methode. than how to crete this url in htacess file

Arun kumar said...

in get methode how to hide php extension in htacess

vydyabhushana siddhu said...

thanq srinivas garu , very valuable information

Khushal Bhalsod said...

.htaccess not work in localhost

Satish Kumar said...

hi srinivas ,

can i use htaccess like

www.example.com/demo to www.demo.example.com

is it possible?

Ramya said...

Thanks for the tutorial on htaccess file..

vineet chauhan said...

I am download .htaccess file and put in my directory where i take my project but i don't re-write my file url please help me!!!

Anonymous said...

thank you for the tutorial..

Sagar Patil said...

Thank you for this post.
Can you please tell me about how it work on localhost.

Khadar Basha said...

hi srinivas,

when ever the user enter index.php or index.html in this the open
i need only index.php
when the user enter index.php it's redirect to index.html
please help me

Kaustubh Bhujbal said...

Thank you for this post.
But I want to ask that the field in url 'username' is it database field?

Anonymous said...

i am still confuse ...about the passing variable with URL without its name...only value i want to display..

sabari g said...

thank you

Athar Ahmed said...

Hy thanks for sharing this amazing and great tip. This is great Security Tip which works for me

Post a Comment