Welcome Guest [Log In] [Register]
Add Reply
.htaccess
Topic Started: Dec 24 2008, 08:32 AM (208 Views)
bustya
Member Avatar
The Master Bitchslapper
Here's a few htaccess tricks (for Linux servers only). Simply create a textfile and name it ".htaccess".
You can use just one in your root or drop a specialized .htaccess in a given directory to control
how that directory is served...

Disable index browsing:
This gives a user a "forbidden" message instead of displaying the files in a directory that lacks
an index page...
Code: HTML
 

#disable directory browsing
Options -indexes


Deny directory access + prevent script execution from within the directory
I use this in my user-submitted image directory. The only way to access the images in this folder
is with my image serving (PHP) script.
Code: HTML
 

EXAMPLE of usage:
Like this:

<img src="images.php?pic=somepic.jpg" />

But not like this:

<img src="somepic.jpg" />

Only the server has permission to access these (image) files.
Also, in the event a user somehow bypasses my error checking and uploads a script
(via my file upload), it'll be absolutely useless since script execution is disabled within the directory.
This is VERY important for secure file uploading.

Code: HTML
 

deny from all

AddHandler cgi-script .php .php3 .php4 .phtml .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI


Includes directory
This is very important. You don't want anyone (except the server) to have access to your
included files directory. So disable access to it like this:

Code: HTML
 

deny from all


Remove SessionIDs from URLs

If you're stepping up to XHTML 1.0 Strict, you'll find that in order to remain valid you'll have to add:

Code: HTML
 

<input type="hidden" name="PHPSESSID" value="<?php echo session_id();?>" />


...to your forms to prevent the user's browser from adding it outside of it's nested element.
Well, this will cause (usually on the first page load) the sessionid to appear in your URLs,
which is very ugly and a potential security risk (although visitor sessionids are renewed after the
user logs in... so, it's not that much of a threat). Anyway, you can prevent this with a few .htaccess
techniques. There's 3 different approaches to this. Depending on your server's configuration
one might work and the other two might not. This is what worked me:

This should go in your root directory's htaccess...

Code: HTML
 

<IfModule mod_php4.c>
php_flag session.use_trans_sid off
php_flag register_globals off
</IfModule>


Try it out, if it doesn't work, Google "prevent sessionid in urls" and try the other techniques.


Mod-rewrite

You can rewrite urls like this:

This url:
Code: HTML
 

http://www.mysite.com/profile.php?user=bustya


Will become this url:
Code: HTML
 

http://www.mysite.com/profile/user/bustya/


With this added to your .htaccess:
Code: HTML
 

Options +FollowSymLinks
RewriteEngine on
RewriteRule profile/(.*)/(.*)/$ /profile.php?$1=$2


There are several other tricks you can pull with .htaccess but these are the ones
I've found most useful.
Edited by bustya, Dec 24 2008, 09:18 AM.
Offline Profile Quote Post Goto Top
 
1 user reading this topic (1 Guest and 0 Anonymous)
« Previous Topic · Other · Next Topic »
Add Reply