Add Security to your PHP projects using .htaccess file
Wall Script
Wall Script
Tuesday, January 13, 2009

Add Security to your PHP projects using .htaccess file

Some days back I published an article about SQL Injection. In this article very small discussion about .htaccess file. After lots of requests I publish this article to add more security to your php application using .htaccess file.

In this tutorial I want to explain about hiding .php extensions and URL rewriting. So improve your Web projects security and quality.


Making .htaccess file

Very simple open any editor like notepad just file save as into .htaccess with in double quotations(".htacess"). You have to upload this file in to hosting root folder, my experience .htaccess file supports only Unix based servers.

Download Sample .htaccess File

Hide .php extension with URL Rewriting

For example if we want to project like Twitter API URLs (Note: Twitter API Developed in Ruby on Rails)


Add this following code in your .htaccess file
RewriteEngine on

RewriteRule ^(.*)\$ $1.php

We can Rewrite index.php into index.html,index.asp,index.sri also


Below code for index.php to index.html
RewriteEngine on

RewriteRule ^(.*)\.html$ $1.php
If you want .asp extension just replace html to asp


Redirecting www URL to non www URL

If you type www.twitter.com in browser it will be redirected to twitter.com.


Add this Following Code:
RewriteEngine On

RewriteCond %{HTTP_HOST} ^www.srinivas.com

RewriteRule (.*) http://srinivas.com/$1 [R=301,L]


Rewriting 'site.com/profile.php?username=foxscan' to 'site.com/foxscan'

My twitter profile http://twitter.com/foxscan its original link passing GET values (http://twitter.com/profile.php?username=foxscan) but this URL is ugly in browser address bar, For user friendly we can change like this.



If you want change like this see the below code
RewriteEngine On

RewriteRule ^([a-zA-Z0-9_-]+)$ profile.php?username=$1

RewriteRule ^([a-zA-Z0-9_-]+)/$ profile.php?username=$1

Download Sample .htaccess File

If any suggestions post a Comment.

web notification

48 comments:

  1. Good but you should put it in to the apacheconf for speed the .htaccess gets read each request and must be parsed each time.

    ReplyDelete
  2. I am curious how this method improves security? It makes for a cleaner application, but does not make your application any safer.

    ReplyDelete
  3. I suppose in some ways masking what file extension you're using, thereby masking what language you're using, helps to throw would-be attackers off your tracks. I agree though, these are just general tips and tricks. A good read for sure, but not a lot to do with security.

    ReplyDelete
  4. How about adding
    php_flag register_globals 0
    php_flag allow_url_fopen 0
    to improve security.

    Anymore along these lines?

    ReplyDelete
  5. Nice Article on .htaccess usage. It is really helpful to make your site cleaner but there is nothing for security. Anyway Thanks

    ReplyDelete
  6. Friend,

    u gave a nice explanation, but my prob is that my server returns error 500 when I'm using this .htaccess. What could be the reason..do i want to save my .php files to .asp when im using rewriting

    ReplyDelete
  7. @studyphotoshopinmalayalam

    500 internal server It's not your fault. If u upload or delete .htaccess or any server files more times 5 times this 500 page will appear.

    Solution : Immediately take back-up and delete all the files in server (no subfolders in htdocs) and freshly upload.

    ReplyDelete
  8. Its a good tutorial.. using this i could make my url as http://ssss.com/japan

    but can you please tell me how to pass 2 parameters like http://ssss.com/japan/tokio

    ReplyDelete
  9. @ram :

    RewriteRule ^japan/?([a-zA-Z0-9]+)?/?([0-9]+)?/?$ /japan.php?adid=$1&pid=$2

    ReplyDelete
  10. @Kristoffer Nilsen

    Thank You. It's helpful.

    ReplyDelete
  11. Great Post....ill try it out. today...

    ReplyDelete
  12. Very nice post !!

    Can I do something like:
    http://someHost:8888/someApp?param1=1&param2=2

    to

    http://someOtherHost/someOtherApp?param1=1&param2=2

    ReplyDelete
  13. I tried your tutorial in many way, but no luck I could not pass it through. Still having problem with the pretty url. Can you help me out this below url to clean url please.

    http://freedomoclock.org/movies.php?cat=Animation

    like --> http://freedomoclock.org/Animation/

    ReplyDelete
  14. thank so much Srinivas, youre so kind :)

    ReplyDelete
  15. dont need using rewrite to change the extension of php or any extension to other ext.
    Just use this.
    AddType application/x-httpd-php .whateveryouwant

    ReplyDelete
  16. I use such type of file extensions like index.php , admissions.php etc on the server. But i want to display in url as index/ and admissions/ etc. And when user type index.php then error comes page not found.
    Plz give reply as soon as possible.

    ReplyDelete
  17. Hey sirinivas,

    if there is folder calld "image" in my main folder how i use this?

    Ex:
    this is my image folder
    www.mydomain.com/image

    if i create username called "image" how i ignore image folder?Hey sirinivas,

    if there is folder calld "image" in my main folder how i use this?

    Ex:
    this is my image folder
    www.mydomain.com/image

    if i create username called "image" how i ignore image folder?

    ReplyDelete
  18. @supun

    You have to restrict some words like "image","help","blog","admin".... while user registration. For admin use

    ReplyDelete
  19. i m using win-XP with zend server ... htaccess doesnt work ... what to do .. i test it on localhost....

    ReplyDelete
  20. Love this tutorial heaped me a lot :)

    ReplyDelete
  21. Hi Anonymous..!!!
    RewriteEngine On
    RewriteRule ^([^_]*)$ /movies.php?cat=$1 [L]

    ReplyDelete
  22. awesome tut :):) i'm benefitted :)

    ReplyDelete
  23. Nice ! Fantastic...

    ReplyDelete
  24. hi srinivas,

    how to pass the url like test.php?id=1000 in get methode. than how to crete this url in htacess file

    ReplyDelete
  25. in get methode how to hide php extension in htacess

    ReplyDelete
  26. thanq srinivas garu , very valuable information

    ReplyDelete
  27. hi srinivas ,

    can i use htaccess like

    www.example.com/demo to www.demo.example.com

    is it possible?

    ReplyDelete
  28. Thanks for the tutorial on htaccess file..

    ReplyDelete
  29. I am download .htaccess file and put in my directory where i take my project but i don't re-write my file url please help me!!!

    ReplyDelete
  30. thank you for the tutorial..

    ReplyDelete
  31. Thank you for this post.
    Can you please tell me about how it work on localhost.

    ReplyDelete
  32. hi srinivas,

    when ever the user enter index.php or index.html in this the open
    i need only index.php
    when the user enter index.php it's redirect to index.html
    please help me

    ReplyDelete
  33. Thank you for this post.
    But I want to ask that the field in url 'username' is it database field?

    ReplyDelete
  34. i am still confuse ...about the passing variable with URL without its name...only value i want to display..
    Thax

    ReplyDelete
  35. Hy thanks for sharing this amazing and great tip. This is great Security Tip which works for me

    ReplyDelete
  36. RewriteRule ^details/([a-zA-Z0-9_-]+)$ details.php?id=$1
    RewriteRule ^details/([a-zA-Z0-9_-]+)/$ details.php?id=$1

    url like this http://localhost/myproject/details/10

    output comes but my project css breaks...
    plz reply some suggestion

    ReplyDelete
    Replies
    1. Please maintain the base URL for CSS.

      Delete
    2. But how can i maintain css base url... please refer me some code

      Delete
  37. i got the solution Srinivas...
    in head tag use base tag like this...my project css works fine

    base href="http://localhost/myproject/" /

    ReplyDelete
  38. above file doesn't work my website what i do..ple guide

    ReplyDelete
  39. Hello!

    I noticed that when I used the code, all the other pages on the website could not appear.

    Any help on limiting this to only the profile page whilst other pages can be displayed as well?

    Thanks buddy. It was an awesome read

    ReplyDelete

mailxengine Youtueb channel
Make in India
X