PHP prevent a variable passed via query string, but allow the same variable to be passed via apache mod_rewrite
Question
I'm using .htaccess mod_rewrite to convert a nice URL, and using a php variable page to send the url portion to index.php where rest of the processing is done.
RewriteRule ^([a-zA-Z0-9-_/]+)$ index.php?page=$1 [QSA,L]
Now, if some malicious user passes the page variable via query string, it gets accepted. For example, if the user calls http://mysite.com/login?page=registration instead of loading the login page, user specified registration page gets loaded.
Any idea how to fix it within the htaccess file?
2 answers
solution1
4 2011-09-05 07:59:22
I've looked for answers for the same thing myself and I'm pretty sure there is no solution to it. The only solution I've come up with is to replace page with some arbitrary "key" instead, like 98198bs129387b13 . Thus, they would have to know the key. But make no mistake, this is security through obscurity... and having proper checks in index.php is still necessary (and it is regardless).
solution2
0 2011-09-05 07:59:45
if the user calls http://mysite.com/login?page=registration instead of loading the login page, user specified registration page gets loaded.
You can't fix this using mod_rewrite - after all, what's to stop the attacker from entering
domain.com/registration
instead?
You need to make sure that unauthorized users can never access pages they're not supposed to access.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.