Narendra Dhami

My Site

mod_rewrite: A Beginner’s Guide to URL Rewriting

Posted by Narendra Dhami on July 15, 2008


So you’re a Web developer who has all the bells and whistles on your site, creates Web-based applications that are both beautiful and work well. But what about these issues?
Applications Must Be Safe

A user must not be able to harm your site in any way by modifying a URL that points to your applications. In order to ensure your site’s safe, check all the GET variables coming from your visitors (I think it’s trivial to mention that the POST variables are a must to examine).

For example, imagine we have a simple script that shows all the products in a category.o Generally, it’s called like this:

myapp.php?target=showproducts&categoryid=123

But what will this application do if ScriptKiddie(tm) comes and types this in his browser:

myapp.php?target=showproducts&categoryid=youarebeinghacked

Well, many of the sites I’ve seen will drop some error message complaining about use of the wrong SQL query, invalid MySQL resource ID, and so on… These sites are not secure. And can anyone guarantee that a site-to-be-finished-yesterday will have all the parameter verifications –even in a programmer group having only 2 or 3 people?

Applications Must Be Search-Engine Friendly

It’s not generally known, but many of the search engines will not index your site in depth if it contains links to dynamic pages like the one mentioned above. They simply take the “name” part of the URL (that’s everything before the question mark, which contains the parameters that are needed for most of the scripts to run correctly), and then try to fetch the contents of the page. To make it clear, here are some links from our fictitious page:

myapp.php?target=showproducts&categoryid=123
myapp.php?target=showproducts&categoryid=124
myapp.php?target=showproducts&categoryid=125

Unfortunately, there’s a big chance that some of the search engines will try to download the following page:

myapp.php

In most cases calling a script like this causes an error – but if not, I’m sure it will not show the proper contents the link was pointing to. Just try this search at google.com:
“”you have an error in your sql syntax” .php -forum”

There are both huge bugs and security in the scripts listed — again, these scripts are not search-engine friendly.

Applications must be user-friendly

If you application uses links like:

http://www.downloadsite.com?category=34769845698752354

then most of your visitors will find it difficult to get back to their favourite category (eg. Nettools/Messengers) every time they start from the main page of your site. Instead, they’d like to see URLs like this:

http://www.downloadsite.com/Nettools/Messengers

It’s even easier for the user to find (pick) the URL from the browsers’ drop-down list as they type into the Location field (though of course this only works if the user has visited that previously).

And what about you?

Now you have everything you need to answer the following questions:

* Is your site really safe enough?
* Can you protect your site from hackers?
* Are your Websites search-engine compatible?
* Are the URLs on your site ‘user friendly’ – are they easy to remember? …and would you like it to be? (everyone who answered ‘yes’ to all 4 questions: have a beer!) more…

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: