views:

27

answers:

2

Hi,

I am using .htaccess RewriteRule on a website I'm working on.

Here is a sample of my .htaccess

RewriteEngine on
RewriteRule ^about.htm$ /index.php?load=about&output=html [NC]

I would like to know if there is a way in my index.php file to detect if the page have been called via a Rewrite or the user reached it directly. I'm trying to avoid having to write some security check that I am not even sure where to start.

If there is no way to make that "check" where should I start to secure the file ?

My guess would be to make sure only load and output are passed to the $_GET, make a strip_tags(), trim(), stripslashes() and remove quotes.

Thank you!

A: 

You can check the request uri, which is contained in the $_SERVER global variable.

Sjoerd
+1  A: 

Look for REDIRECT_URL or REDIRECT_STATUS in the $_SERVER global. mod_rewrite should be adding these.

bogeymin
Hey, that was fast! But I am now wondering if my pattern was good in the case I had to do the security myself. Any idea? I will accept your answer in a few.
Cybrix
No problem. mod_rewrite is powerful mojo. My only thought looking at the supplied pattern is that it could be simpler. If I were you, I would look at prominent examples like the .htaccess file used by Zend Framework, Drupal, and so on. The ZF htaccess is quite simple, and basically sends everything to index.php that isn't an actual file or directory. So you could just use /about (or /about.htm) as your URL and let index.php parse the REQUEST_URI by splitting on the "/"s.
bogeymin