Welcome Guest, Not a member yet? Register   Sign In
is there a security breach when using htaccess to rewrite index.php?

Hi guys,

Before I present the problem, below's an overview of what I am doing.

I am using a Powerbook G4 running on OS X 10.4.11 (non-server). I have just finished my first website that uses CodeIgniter a couple of days ago. I was able to run it on my machine, and was able to modify my machine's httpd.conf so that it allows the processing of the htaccess directive in my CodeIgniter directory. I can run the website locally without using index.php as part of the URL and it works fine for me.

The lines that I added to my httpd.conf are:
<Directory "/Users/myUserAccount/Sites/WebsiteDirectory">
    Options Indexes Includes FollowSymLinks MultiViews
    AllowOverride FileInfo
    Order allow,deny
    Allow from all

My htaccess file has the following lines:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /~myUserAccount/WebsiteDirectory/
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php/$1 [L]

<IfModule !mod_rewrite.c>
ErrorDocument 404 /index.php

Here's the problem. The web hosting company where the website is located are flaking out when I asked them to add those lines of codes to their httpd.conf file. They are saying they have to review the codes first since it might cause a security breach on their server.

I am not a server administrator so I do not really know everything about apache except for some codes that I use, and I definitely know nothing about security breaches relating to it. I wanted to ask this forum first if anyone knows or can point me to a definitive guide that says whether those codes will cause security breach to their server or to my WebsiteDirectory and its contents, or not.

I have already downloaded some manuals regarding Apache but it might take ages of reading before I get to the information I need so If anyone knows anything, please help.

I have to have the site up now because I am on a deadline and the problem now is not on my end, but on the web host, but I do think if I can show them that there's nothing to worry about, then they will add the following codes I requested.

Thank you for all the help. Smile

Truth be told - In 99% of cases, the host won't need to add those lines to the httpd.conf because AllowOverride is set to yes on most shared servers. Just upload your .htaccess file and see if it works. Chances are, it will.


thanks kevin,

they said that AllowOverride is set to ALL but my site still shows a 404 whenever i try accessing without the index.php file.

Make sure the Rewrite base is set correctly. If CI is in the root of your site, the rewritebase should be /

On some servers, you can comment (#) the rewritebase line.


fixed. i just flushed my cache and reuploaded the htaccess file. thanks. Smile

Theme © iAndrew 2016 - Forum software by © MyBB