This is possibly a duplicate question, but I am unable to find the other one if it is.
I was looking for advice on how secure url rewriting is? Does it stop SQL injection, or XSS? If not, how would one circumvate it?
The reason I ask is because I am unsure of the process that rewriting takes. Am I right in believing that this URL could effectively be dangerous:
http://www.website.com/article/1' UNION ALL...
URL rewriting doesn't have anything to do with preventing SQL injections! URL rewriting is mostly used to turn "ugly" URLS (like http://domain.com/index.php?name=1&value=2) into pretty URLs like http://domain.com/1/2).
It doesn't prevent SQL injection at all. SQL injection must be prevented by making sure that user inputs do not contain characters that modify an SQL statement so that it does things that were not intended. Example:
You have an SQL Statement like:
SELECT * FROM $tableName;
And $tableName is a parameter that is entered by the user through a web form. Now the user could enter Users; DROP TABLE Users; --. This would be bad:
SELECT * FROM Users; DROP TABLE Users; --;
This, however, can not be solved by URL rewriting.
no, URL rewrite couldn't prevent XSS or SQL Injection.
If you want to avoid SQL Injection, use DBI Library (with prepare/execute statement) in your code.
If you want to avoid XSS Attack, please filter your user input in your code, too.
URL rewriting and security are two different things. The URL rewrite simply changes the presentation of variables in the url but does not secure at all. We must secure the variables in your code after you recover from the url.
But for SQL Injection based only on the $_GET variable, if we use this:
RewriteRule ^([a-z])-([0-9]).html$ /index.php?page=$1&id=$2 [L]
Is the $_GET["id"] variable injectable? We are forcing the value with only integer.
URL rewriting has feature called 'Request blocking'. You can use this feature to scan and prevent 3rd party tools sending spoof requests.
Related
I am trying to make a custom blog CMS. Each blog post has an ID in my mySQL database.
Basically I need to rewrite:
domain.com/category.php?id=4
to
domain.com/4
But I only want this to work if the ID (in this case 4) exists in the database because I don't want every single number to be rewritten.
Can someone tell me how I can get around with this?
You can use the usual file manipulation functions(fwrite, fopen etc..).
Or you can use Mod_rewrite and PHP. Check this : http://culttt.com/2011/11/16/how-to-make-vanity-urls-using-php-htaccess-and-mysql/
How do you rewrite a URL in Notes 9 XPages.
Let's say I have:
www.example.com/myapp.nsf/page-name
How do I get rid of that .nsf part:
www.example.com/page-name
I don't want to do lots of manual re-direct because my pages are dynamically formed like wordpress.
I've read this: http://www.ibm.com/developerworks/lotus/library/ls-Web_site_rules/
It does not address the issue.
If you use substitution rules like the following, you can get rid of the db.nsf part and call your XPages directly as example.com/xpage1.xsp:
Rule (substitution): /db.nsf/* -> /db.nsf/*
Rule (substitution): /* -> /db.nsf/*
However, you have to "manually" generate your URLs without the db.nsf part in e.g. menus because the XPages runtime will include the db.nsf part in the URLs if you use for instance the openPage simple action.
To completely control what is going in and out put your Domino behind an Apache HTTP and use mod_rewrite. On Domino 9.0 Windows you can use mod_domino
You can do it with a mix of subsitutions, "URL-pattern" and paritial refresh.
I had the same problem, my customers wants clean URLs for SEO.
My URLs now looks like these:
www.myserver.de/products/financesoftware/anyproduct
First i used one subsitution to cover the folder, database and xpage part of the URL.
My substitution: "/products" -> "/web/techdemo.nsf/product.xsp"
Problem with these is, any update on this site (with in redirect mode) and the user gets back the "dirty" URL.
I solved this with the use of paritial refreshes only.
Last but not least, i uses my own slash pattern at the end of the xpage call (.xsp)
In my case thats the "/financesoftware/anyproduct/" part.
I used facesContext.getExternalContext().getRequestPathInfo() to resolve that URL part.
Currently i used good old RegExp to get the slash separated parameters back out of the url, but i am investigating a REST solution at the moment.
I haven't actually done this, but just saw the option yesterday while looking for something else. In your Xpage, go to All Properties, and look at 'navigationRules' and 'pageBaseUrl'. I think you will find what you are looking for there.
I don't know how to rewrite URLs of this type:
mywebsite/param1-val1-param2-val2-param3-val3-param4-val4.html
that's really simple to do BUT my problem is that my parameters are variables like:
mywebsite/param1-val1-param3-val3-param4-val4.html
or
mywebsite/param3-val3-param4-val4.html
so, the number of parameters is not always the same. It can sometimes be just one, sometimes it can be 10 or more. It redirects to a search script which will grab the parameters through GET querystring.
What I want to do is to not write (on htaccess) a line for every link. The links are pretty simple in that form separated by a -(hyphen) sign.
Rather than rely on complex rewrite rules, I would suggest a simple rewrite rule and then modifying the code of your web application to do the hard part. Supporting this kind of variable parameters is not something that a rewrite rule is going to be very good at on its own.
I would use the following rewrite rule that intercepts any url that contains a hyphen separator and ends in .html
RewriteRule ^(.+[\-].+)\.html$ /query.html?params=$1
Then in your web application can get the parameters from the CGI parameter called params . They look like this now param1-val1-param3-val3-param4-val4. Your code should then split on the hyphens, and then put the parameters into a map. Most web frameworks support some way of adding to or overriding the request parameters. If so, you can do this without doing invasive modifications to the rest of your code.
In Mediawiki, I'm trying to find a way to block access to some of our template pages. I don't want some of our competition viewing our complex code and stealing it for their wikis (which is common in the fandom I'm from unfortunately). So I was trying to use htaccess to accomplish this by redirecting people to the main wiki page when they try to view a specific template page. However, nothing is happening. Here's what I used:
Redirect /wiki/index.php?title=Template:Box /wiki/index.php
I'm not sure what I'm trying to do is possible, though, or if this is how htaccess is supposed to be used!
Thank you in advance!
In short words: don't do that!
Let me quote the relevant part of MediaWiki docs: MediaWiki is not designed to be a CMS, or to protect sensitive data. To the contrary, it was designed to be as open as possible. Thus it does not inherently support full featured, air-tight protection of private content.
There's no way MediaWiki guarantees partial read permissions: either people are able to see every page, or none of them. Otherwise, there will be loopholes to read your precious data. For example, TerryE's trick with rewrite rules adds absolutely no security: among a hundred of other ways, one can simply change Template:Box into Template_:_Box and the latter will be normalised internally into the former. MW sometimes HTTP-redirects to normalised titles, but that is very easy to overcome.
There are lots of ways of getting template content in MW, and MW has its own access control extensions, so I think that you are trying to cure a leaking sieve, but answering your Q directly:
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} \bTemplate:Box\b
RewriteRule wiki/index.php $0? [L]
This will remove the query parameters if the URI is for /wiki/index.php and the query string contains Template:Box.
I have a script on my site ('write-review.php') that takes an optional url parameter 'site'. So server-side requests could be:
/reviews/write-review.php
or
/reviews/write-review.php?site=foo
I'm using .htaccess to create search engine friendly URLs and hide my php extensions, so that requests to this script are respectively rewritten as
/reviews/write-a-review/
or
/reviews/write-a-review/foo
I think having 'foo' in the URL may cause confusion for my users, so I'm trying to write an htaccess rewrite rule that removes 'foo' while still passing this variable to my script. Thus, a request to /reviews/write-a-review/foo would be rewritten as /reviews/write-a-review/ but write-review.php would be passed 'foo'.
The rewrite rule I currently have in place is:
RewriteRule ^reviews/write-a-review/?$ reviews/write-review.php
RewriteRule ^reviews/write-a-review/([a-zA-Z0-9_-]+)/?$ reviews/write-review.php?site=$1
Is it even possible to do what I've described above? There are MANY questions on Stack Overflow that are similar to this, and I've read through at least a dozen, but I haven't found a way to do this specifically.
Any help is really appreciated.
Thanks,
Chris
Is it even possible to do what I've described above?
No. To alter the actual URL the user inputs, you'd have to do a header redirect, during which you would lose foo.
This is not possible, except maybe by using ridiculous technical tricks like storing foo in a session variable or something. I would not recommend going that route.