Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming The session "userdata" is always set to "Errors 404" ...
The session "userdata" is always set to "Errors 404" ...
  • El Forum
    Guest
  •  
#11
11-28-2010, 12:45 PM

[eluser]vitoco[/eluser]
i'll agree on the server load issue, the database inconsistency it's only possible on a poor security and validation of access and data. In the point of :
" And it’s less secure, because it allows direct access to all files and directories that exist in the docroot." can you please be more specific?, cause i use this kind of rewrite conditions and if it opens a hole in the server, i have to close it.
  • El Forum
    Guest
  •  
#12
11-28-2010, 02:59 PM

[eluser]WanWizard[/eluser]
Most rewrite rules (and that include the ones advocated here), follow the simple "if it's not a file, and it's not a directory, rewrite it to index.php" rule.

Which means that you can access ANY existing file in the docroot, so you have to be extremely careful with what can write where in that docroot. Uploading an image that isn't an image is enough to hack your way in. I had to fix a site once where a hacker used this loophole to install a crontab for the apache user, which in turn ran a process that threw the door wide open.

It also means you can't have a controller called 'system' (as http://website/system exists, and probably others as well) so it reduces flexibility.

By default, I exclude /assets, and rewrite every other request to index.php. If I need extra functionality, I write a specific exclude for it that only applies to that functionality. My default file looks like this:
Code:
<IfModule mod_rewrite.c>
    # ATTENTION: if this .htaccess doesn't work, check if rewrites
    # are allowed in httpd.conf. You need to specify:
    # <Directory "my-website-directory-here">
    #     Options +FollowSymLinks
    #     AllowOverride FileInfo
    # </Directory>
    # or have these options defined globally in your httpd.conf file
    # to allow a .htaccess with rewrite rules to work!

    # activate URL rewriting
    RewriteEngine On

    # if the application is installed in a sub-directory of the
    # document root, modify the path below accordingly
    RewriteBase /

    # nasty hack to capture ruined URI's by a mod_rewrite bug.
    #
    # You need these two lines when you use mod_vhost_alias, and this
    # .htaccess file generates a "500 internal server error".
    # In the rule below, replace --DOCROOT-- by your full docroot path,
    # without a leading slash, but with a trailing slash!
    # (i.e 'path/to/my/docroot/', without quotes offcourse)
    #
#    RewriteCond $1 index\.php/$
#    RewriteRule ^--DOCROOT--(.*)$ /$1 [S=1]

    # do not rewrite links to development stuff (not needed when live!)
    RewriteCond $1 !^~dev

    # do not rewrite links to development docs (not needed when live!)
    RewriteCond $1 !^~docs

    # do not rewrite links to website assets
    RewriteCond $1 !^assets

    # do not rewrite for specific php files in the document root or robots.txt
    RewriteCond $1 !^(ajax\.php|robot\.txt)

    # but rewrite everything else
    RewriteRule ^(.*)$ index.php/$1 [L]
</IfModule>

<IfModule !mod_rewrite.c>
    # If we don't have mod_rewrite installed, all 404's
    # can be sent to index.php, and everything works as normal.
    # Submitted by: ElliotHaughin

    ErrorDocument 404 /index.php
</IfModule>
  • El Forum
    Guest
  •  
#13
11-28-2010, 03:11 PM

[eluser]vitoco[/eluser]
thanks a lot.




Theme © iAndrew 2016 - Forum software by © MyBB