Re: [PHP] strange php url (CORRECTION)
Kevin Kinsey wrote: Pretty good thoughts, there. Some years ago, Tim Perdue (of PHPBuilder and SourceForge fame) had a popular article on Search Engine Friendly URL's (or some such), in which he described use of the Apache ForceLocal directive to make a site just One Big Script, parsing the slashed portions of the query string as variables (instead of GET, a la ?section=manterm=foo) so that the browser appears to be accessing documents in subfolders, but it's really just telling the server to grab a page with certain values defined in the URI. It sure looks like a possibility of this or similar magic in this case. Of course, I could be way off my tree... And it appears I was at least *slightly* off my tree. In looking for more info on this, my post (archived in 2 places), was the only reference to a ForceLocal directive in Apache that Google could find ;-) I meant ForceType, and here's how it works in httpd.conf: VirtualHost * ServerName test.foo.com DocumentRoot /var/www/data/footest ServerAdmin [EMAIL PROTECTED] Location /manual ForceType application/x-httpd-php /Location /VirtualHost Now, you write manual in PHP, (no file extension), and anything directed to manual is parsed by said script. Since I used the wrong terminology, I may have distracted any *real* gurus from recognizing what I was talking about. Sorry for any confusion. Kevin Kinsey -- It's hard to think of you as the end result of millions of years of evolution. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] strange php url
Hi all and thanks for the answers. On my server, the building of some webpages with url like the one below produces a loop and crashes the server. (http://myurl.mydomain/path/index.php/path/index.php). As I never heard about the PATH_INFO before, I'm not sure the site uses this value. (I'll check the code to be sure). If I can make sure the PATH_INFO isn't used anywhere in the code, is there a way to change the config in order to generate a 404 for each url with a not null PATH_INFO ? Nicolas Figaro Joe Wollard a écrit : I believe Kevin is on the right track there. To expand a bit, you can use $_SERVER['PATH_INFO'] with these urls instead of $_GET to make use of the data it contains example for url http://www.example.com/index.php/foo/bar ?php echo $_SERVER['PATH_INFO']; ? produces: /foo/bar You can then parse this string, (generally by using the '/' character as a deliminator) and extract the data. MediaWiki even provides information (can't think of where at the moment) on how to use Apache's mod_rewrite to hide index.php thus making the url even cleaner: http://www.example.com/foo/bar Cheers! - Joe On 4/21/06, Kevin Kinsey [EMAIL PROTECTED] wrote: Hi, could anyone tell me why the following url doesn't generate a page not found ? http://www.php.net/manual/en/function.checkdnsrr.php/manual/ you can try with a longer url after the last .php. I tried with ../manual instead of manual and this produces a 404. I checked with www.php.net because my own site does the same and I wanted to be sure it didn't come from my config. thanks Nicolas Figaro [EMAIL PROTECTED] wrote: The other thing that could happen is they could be using something like the Apache mod_rewrite (some info at http://www.modrewrite.com/ among others) which can dynamically change the requested URL to a more standard URL before sending back to the user. Something like this: http://www.testserver.com/tgryffyn/homepage/middlesection Could be turned into something like: http://www.testserver.com/userpage.php?user=tgryffynpage=home#middleanchor But to the user requesting the page, it'll always look like the first URL. Forgive me if I got any syntax or capability of mod_rewrite wrong, never used it myself just know that's the general sort of thing that it does. Pretty good thoughts, there. Some years ago, Tim Perdue (of PHPBuilder and SourceForge fame) had a popular article on Search Engine Friendly URL's (or some such), in which he described use of the Apache ForceLocal directive to make a site just One Big Script, parsing the slashed portions of the query string as variables (instead of GET, a la ?section=manterm=foo) so that the browser appears to be accessing documents in subfolders, but it's really just telling the server to grab a page with certain values defined in the URI. It sure looks like a possibility of this or similar magic in this case. Of course, I could be way off my tree... Kevin Kinsey -- Byte your tongue. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] strange php url
On 4/21/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: redirects to: http://www.example.com/index.php?action=edittype=customerid=1234adminaccess=1 and you put admin access flags (read, determine roles) in URL parameters? -ahmed
Re: [PHP] strange php url
On Mon, April 24, 2006 1:58 am, nicolas figaro wrote: On my server, the building of some webpages with url like the one below produces a loop and crashes the server. (http://myurl.mydomain/path/index.php/path/index.php). Odds are VERY GOOD that you have some kind of bad regex in your httpd.conf which sends Apache into an infinite loop in mod_rewrite. You will need to turn on mod_rewrite debugging and error logging and crash the server again to find out what is happening. As I never heard about the PATH_INFO before, I'm not sure the site uses this value. (I'll check the code to be sure). [james stewart voice on] One of the advantages of using $_SERVER['PATH_INFO'] in PHP instead of mod_rewrite is that it's a lot harder to screw things up so spectacularly. [james stewart voice off] If I can make sure the PATH_INFO isn't used anywhere in the code, is there a way to change the config in order to generate a 404 for each url with a not null PATH_INFO ? I don't really understand this bit, but you should be able to do something like this: ?php if (is_bad($_SERVER['PATH_INFO'])){ header(Location: http://example.com/nonexistent.htm;); } ? This assumes that you can discern bad PATH_INFO from good PATH_INFO and that nonexistent.htm does not actually exist -- or that could exist and be a pretty page explaining that the URL they want isn't there, if you don't want a true 404 -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] strange php url
On Mon, April 24, 2006 8:10 am, Ahmed Saad wrote: On 4/21/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: redirects to: http://www.example.com/index.php?action=edittype=customerid=1234adminaccess=1 and you put admin access flags (read, determine roles) in URL parameters? Hopefully that's just a REQUEST to have admin access, not a form of authentication... -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] strange php url
Not sure about php.net specifically, but two things to note here: If you leave off a filename at the end of the URL, the web server will look for a 'default' document. On apache and unix systems I believe the default is index.html and on IIS systems it's something like Default.htm. Most of the time there are other options like you might add a index.php if your site uses PHP. The other thing that could happen is they could be using something like the Apache mod_rewrite (some info at http://www.modrewrite.com/ among others) which can dynamically change the requested URL to a more standard URL before sending back to the user. Something like this: http://www.testserver.com/tgryffyn/homepage/middlesection Could be turned into something like: http://www.testserver.com/userpage.php?user=tgryffynpage=home#middleanchor But to the user requesting the page, it'll always look like the first URL. Forgive me if I got any syntax or capability of mod_rewrite wrong, never used it myself just know that's the general sort of thing that it does. You might be getting a 404 on using ../manual because they're using mod_rewrite and it didn't know how to deal with ../manual because manual isn't part of a path but actually part of the rewrite rules. and the ../ part of it didn't fit into those rules or got translated to a non-existant page This: http://www.php.net/manual/en/function.checkdnsrr.php/manual/ Might become something like (ignoring everythin after the function reference): http://www.php.net/manual.php?l=enfunction=checkdnsrr I'm not sure why you'd get a 404 by changing the second 'manual' to '../manual' but could have something to do with rewrite rules or something. Just some thoughts. -TG = = = Original message = = = Hi, could anyone tell me why the following url doesn't generate a page not found ? http://www.php.net/manual/en/function.checkdnsrr.php/manual/ you can try with a longer url after the last .php. I tried with ../manual instead of manual and this produces a 404. I checked with www.php.net because my own site does the same and I wanted to be sure it didn't come from my config. thanks Nicolas Figaro ___ Sent by ePrompter, the premier email notification software. Free download at http://www.ePrompter.com. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] strange php url
Hi, could anyone tell me why the following url doesn't generate a page not found ? http://www.php.net/manual/en/function.checkdnsrr.php/manual/ you can try with a longer url after the last .php. I tried with ../manual instead of manual and this produces a 404. I checked with www.php.net because my own site does the same and I wanted to be sure it didn't come from my config. thanks Nicolas Figaro [EMAIL PROTECTED] wrote: The other thing that could happen is they could be using something like the Apache mod_rewrite (some info at http://www.modrewrite.com/ among others) which can dynamically change the requested URL to a more standard URL before sending back to the user. Something like this: http://www.testserver.com/tgryffyn/homepage/middlesection Could be turned into something like: http://www.testserver.com/userpage.php?user=tgryffynpage=home#middleanchor But to the user requesting the page, it'll always look like the first URL. Forgive me if I got any syntax or capability of mod_rewrite wrong, never used it myself just know that's the general sort of thing that it does. Pretty good thoughts, there. Some years ago, Tim Perdue (of PHPBuilder and SourceForge fame) had a popular article on Search Engine Friendly URL's (or some such), in which he described use of the Apache ForceLocal directive to make a site just One Big Script, parsing the slashed portions of the query string as variables (instead of GET, a la ?section=manterm=foo) so that the browser appears to be accessing documents in subfolders, but it's really just telling the server to grab a page with certain values defined in the URI. It sure looks like a possibility of this or similar magic in this case. Of course, I could be way off my tree... Kevin Kinsey -- Byte your tongue. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] strange php url
I believe Kevin is on the right track there. To expand a bit, you can use $_SERVER['PATH_INFO'] with these urls instead of $_GET to make use of the data it contains example for url http://www.example.com/index.php/foo/bar ?php echo $_SERVER['PATH_INFO']; ? produces: /foo/bar You can then parse this string, (generally by using the '/' character as a deliminator) and extract the data. MediaWiki even provides information (can't think of where at the moment) on how to use Apache's mod_rewrite to hide index.php thus making the url even cleaner: http://www.example.com/foo/bar Cheers! - Joe On 4/21/06, Kevin Kinsey [EMAIL PROTECTED] wrote: Hi, could anyone tell me why the following url doesn't generate a page not found ? http://www.php.net/manual/en/function.checkdnsrr.php/manual/ you can try with a longer url after the last .php. I tried with ../manual instead of manual and this produces a 404. I checked with www.php.net because my own site does the same and I wanted to be sure it didn't come from my config. thanks Nicolas Figaro [EMAIL PROTECTED] wrote: The other thing that could happen is they could be using something like the Apache mod_rewrite (some info at http://www.modrewrite.com/ among others) which can dynamically change the requested URL to a more standard URL before sending back to the user. Something like this: http://www.testserver.com/tgryffyn/homepage/middlesection Could be turned into something like: http://www.testserver.com/userpage.php?user=tgryffynpage=home#middleanchor But to the user requesting the page, it'll always look like the first URL. Forgive me if I got any syntax or capability of mod_rewrite wrong, never used it myself just know that's the general sort of thing that it does. Pretty good thoughts, there. Some years ago, Tim Perdue (of PHPBuilder and SourceForge fame) had a popular article on Search Engine Friendly URL's (or some such), in which he described use of the Apache ForceLocal directive to make a site just One Big Script, parsing the slashed portions of the query string as variables (instead of GET, a la ?section=manterm=foo) so that the browser appears to be accessing documents in subfolders, but it's really just telling the server to grab a page with certain values defined in the URI. It sure looks like a possibility of this or similar magic in this case. Of course, I could be way off my tree... Kevin Kinsey -- Byte your tongue. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] strange php url
You could do that... a poor man's mod_rewrite might involve something like this and making the main PHP parsing script your 404 page.. so no matter where you went on a page, the 404 redirect to your PHP script would parse the request (or would you get the post-redirected URL? in which case you'd have to get the 'referrer' maybe? not sure..). Sounds like it could have some security issues though..giving too much power to the user and what they enter in the URL being used as variable data.. definitely would want to scrub that input hard. -TG = = = Original message = = = I believe Kevin is on the right track there. To expand a bit, you can use $_SERVER['PATH_INFO'] with these urls instead of $_GET to make use of the data it contains example for url http://www.example.com/index.php/foo/bar ?php echo $_SERVER['PATH_INFO']; ? produces: /foo/bar You can then parse this string, (generally by using the '/' character as a deliminator) and extract the data. MediaWiki even provides information (can't think of where at the moment) on how to use Apache's mod_rewrite to hide index.php thus making the url even cleaner: http://www.example.com/foo/bar Cheers! - Joe ___ Sent by ePrompter, the premier email notification software. Free download at http://www.ePrompter.com. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] strange php url
No arguments here ;-). For what it's worth, I've used this technique just to simply clean up the url's a bit. With that in mind, I usually don't need to do a terrible amount of scrubbing because I'm using the variables in the url more for navigation. So http://www.example.com/index.php/edit/customer/1234simply tells my script to display a form that will allow the user to edit customer 1234, if the first sections of $_SERVER['PATH_INFO'] isn't exactly what I'm expecting then I moce on to whatever the default action is (except of course for the customer id at the end). Really this isn't any different than http://www.example.com/index.php?action=edittype=customerid=1234 in terms of security. If I'm wrong someone please let me know as I do use this technique quite a bit. - Joe On 4/21/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: You could do that... a poor man's mod_rewrite might involve something like this and making the main PHP parsing script your 404 page.. so no matter where you went on a page, the 404 redirect to your PHP script would parse the request (or would you get the post-redirected URL? in which case you'd have to get the 'referrer' maybe? not sure..). Sounds like it could have some security issues though..giving too much power to the user and what they enter in the URL being used as variable data.. definitely would want to scrub that input hard. -TG = = = Original message = = = I believe Kevin is on the right track there. To expand a bit, you can use $_SERVER['PATH_INFO'] with these urls instead of $_GET to make use of the data it contains example for url http://www.example.com/index.php/foo/bar ?php echo $_SERVER['PATH_INFO']; ? produces: /foo/bar You can then parse this string, (generally by using the '/' character as a deliminator) and extract the data. MediaWiki even provides information (can't think of where at the moment) on how to use Apache's mod_rewrite to hide index.php thus making the url even cleaner: http://www.example.com/foo/bar Cheers! - Joe ___ Sent by ePrompter, the premier email notification software. Free download at http://www.ePrompter.com. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] strange php url
All depends on how the data is used after it's interpreted/split: http://www.example.com/index.php/edit/customer/1234 $action = edit; $type = customer; $id = 1234; header(Location: http://www.example.com/index.php?action=$actiontype=$typeid=$id;); In this case, what happens if someone does: http://www.example.com/index.php/edit/customer/1234adminaccess=1 $action = edit; $type = customer; $id = 1234adminaccess=1; header(Location: http://www.example.com/index.php?action=$actiontype=$typeid=$id;); redirects to: http://www.example.com/index.php?action=edittype=customerid=1234adminaccess=1 Or if that data was used in a SQL query, you could open yourself up to a SQL injection attackbasically all the kind of concerns you have when handling user input in general, but you have to ask yourself What could someone do is they manually entered a URL instead of just clicking on a link that we generated... what other data is passed via $_GET vars or other data that's affected by the pre-rewrite URL). Maybe your stuff is ok... maybe the worst that happens is it looks for an id of 1234adminaccess=1 and doesn't find it. Security tends to involve dealing with what we know is a security risk... while hacking (the illegal kind) is only limited by the imagination and skill of the hacker. So good security relies on as much imagination and creativity as you can conjure up and hopefully it's more than the hacker trying to poke at your system. :) In other words, ALWAYS think of the worst-case scenario when thinking about security... isolate, restrict and scrub your input vigorously..hah -TG And you split on the forward slash.. you might get: = = = Original message = = = No arguments here ;-). For what it's worth, I've used this technique just to simply clean up the url's a bit. With that in mind, I usually don't need to do a terrible amount of scrubbing because I'm using the variables in the url more for navigation. So http://www.example.com/index.php/edit/customer/1234simply tells my script to display a form that will allow the user to edit customer 1234, if the first sections of $_SERVER['PATH_INFO'] isn't exactly what I'm expecting then I moce on to whatever the default action is (except of course for the customer id at the end). Really this isn't any different than http://www.example.com/index.php?action=edittype=customerid=1234 in terms of security. If I'm wrong someone please let me know as I do use this technique quite a bit. - Joe ___ Sent by ePrompter, the premier email notification software. Free download at http://www.ePrompter.com. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] strange php url
On Fri, April 21, 2006 10:04 am, nicolas figaro wrote: could anyone tell me why the following url doesn't generate a page not found ? http://www.php.net/manual/en/function.checkdnsrr.php/manual/ you can try with a longer url after the last .php. I tried with ../manual instead of manual and this produces a 404. I checked with www.php.net because my own site does the same and I wanted to be sure it didn't come from my config. Because it is incredibly USEFUL to have extra information in the URL after the actual script that does the work. Because that URL does, in fact, point to a valid document. Because the /manual part is just passed in to the 'function.checkdnsrr.php' script. Actually, that last statement is quite possible a lie. It's quite possible that what YOU think of as the 'function.checkdnsrr.php' page is actually a script named 'manual' And that the script named 'manual' looks for things like '/en' and '/function.checkdnsrr.php' in order to determine what page to serve up. You could read the php.net source to find out for sure, by clicking on the link in the bottom right corner of the PHP website. To try this out on your own server, do this: 1. Create a file called 'myscript.php' 2. Put this in it: ?php echo $_SERVER['PATH_INFO'];? 3. Surf to these two URLs: http://yoursite.com/myscript.php/foo http://yoursite.com/myscript.php/bar There are all sorts of uses for this kind of thing, and you'll end up hearing me rant more about some of them if you stick around :-) -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] strange php url
On Fri, April 21, 2006 1:11 pm, [EMAIL PROTECTED] wrote: You could do that... a poor man's mod_rewrite might involve something like this and making the main PHP parsing script your 404 page.. so no matter where you went on a page, the 404 redirect to your PHP script would parse the request (or would you get the post-redirected URL? in which case you'd have to get the 'referrer' maybe? not sure..). Actually, I consider it a vastly superior solution to mod_rewrite for several reasons: #1. Don't have to restart Apache just to add some new wrinkle. [When your mod_rewrite rules are in httpd.conf and not .htaccess] #2. Works on all servers, including shared servers where mod_rewrite and/or .htaccess is turned completely off for perofrmance. #3. Screwing up a rule doesn't take down your whole site, or everything below the directory of your .htaccess -- You only screw up one page where you are messing with the rules of the translation. #4. About 100 X simpler to understand than mod_rewrite regular expression syntax and all that L/R business I never did figure out, really. #5. It's PHP. :-) #6. Can log specific data about interesting rules, not a monolithic and sometimes quite expensive logging for debugging. Sounds like it could have some security issues though..giving too much power to the user and what they enter in the URL being used as variable data.. definitely would want to scrub that input hard. You would scrub it EXACTLY the same way you scrub GET data, POST data, and COOKIE data. You are literally just translating the search not-so-friendly: script.php?x=5y=7 into the very search friendly: script.php/x=5/y=7 Also note that for rich media such as PDF and FDF, some versions of IE will simply choke on: http://example.com/test.pdf?whatdate=7-1-2006 But they're quite happy with: http://example.com/test/whatdate=7-1-2006/whatever.pdf In fact, there is NO WAY the browser can tell that it's not retrieving a plain ol' PDF just by looking at the URL. And that's a very good thing because browsers suck at dynamic rich media such as images, PDF, etc -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php