Getting with the mod_rewrite voodoo

by oneafrikan on July 31, 2006

I’ve been working on a fairly large product site in two languages lately, and am using Apache mod_rewrite to do the url mapping, so that things look nice and pretty like, instead of the ugly query strings we’re not supposed to see in the Web 2.0 world (IMHO, somtimes I think query strings would be easier mind ‘cos there’s less to configure).

Anyhoo, I thought I’d post the mod_rewrite voodoo here for the greater goodness of mankind, and wait for people to shoot me down so that I can learn more from it ;-)

Here you go – download if you want it – all purty simple and straightforward:
(PS – each line should be on one line, so if it wraps for you, copy and paste and make sure it’s one one line when you use it)

# mod_rewrite in use
RewriteEngine On

# This needs to be set to allow URL manipulation on my server – setup on local dev server in httpd.conf
Options +FollowSymlinks

# Set the base URL
RewriteBase /

# we don’t want rules to apply to this directory
RewriteRule ^your-dir-name/.*$ – [L]

### set all page requests to go to instead of
#RewriteCond %{HTTP_HOST} ^domain\.com$ [NC]
#RewriteRule ^(.*)$$1 [R=301,L]

########## Begin Standard SEF Section
RewriteRule ^profiles/([^/\.]+)/?$ profile.php?page=$1 [L]

# categories
RewriteRule ^([^/\.]+)/?$ /view_category.php?cat_url=$1 [QSA,L]

# subcategories
RewriteRule ^([^/\.]+)/([^/\.]+)/?$ /view_subcategory.php?cat_url=$1&subcat_url=$2 [QSA,L]

## detailpages, second sends a state of the product detail page
RewriteRule ^([^/\.]+)/([^/\.]+)/([^/\.]+)/?$ /view_product_detail.php?cat_url=$1&subcat_url=$2&product_url=$3 [QSA,L]
RewriteRule ^([^/\.]+)/([^/\.]+)/([^/\.]+)/([^/\.]+)/?$ /view_product_detail.php?cat_url=$1&subcat_url=$2&product_url=$3&state=$4 [QSA,L]

########## End Standard SEF Section

########## Error documents
ErrorDocument 404 /error.php

I’ll leave you with some cool quotes from the real guru’s:
The great thing about mod_rewrite is it gives you all the configurability and flexibility of Sendmail. The downside to mod_rewrite is that it gives you all the configurability and flexibility of Sendmail.” — Brian Behlendorf, Apache Group

Despite the tons of examples and docs, mod_rewrite is voodoo. Damned cool voodoo, but still voodoo.” — Brian Moore


1st things 1st, Apache has a serious vulnerability with mod_rewrite that allows attackers to execute code on your web server, so make sure you’ve updated your apache before you get r00ted.

The one thing thats annoying us security peeps about Web 2.0 is that the SAME security mistakes are being made. Its like no-one has learnt anything from us poking holes in Web 1.0 and are hellbent on making the same mistakes.

Take this “hiding” of query strings that everyone is being made to do with Web 2.0. Great, your making it look prettier but i’ll bet my camera kit that the developer isnt doing the correct input validation on the user-supplied input being passed back to the server.

On a daily basis now im still training developers on why this is a bad thing and im still getting that blank look.

One day…

by Daniel on July 31, 2006 at 8:34 am. Reply #

Yea yea yea… shecurity shmecurity!

Just kidding!! Thanks for the heads up ;-)
Just so you know, I am doing input validation… wouldn’t do it any other way…

by Gareth Knight on August 4, 2006 at 12:20 am. Reply #

Leave your comment


Required. Not published.

If you have one.

Protected with IP Blacklist CloudIP Blacklist Cloud