Filtering / Dispatch for PHP?

Filtering / Dispatch for PHP?

am 12.04.2008 21:52:52 von Mark Space

Hey all,

I'm having a bear of a time locating any information on how PHP might
handle URL filtering and dispatching.

For example, let's say I have a web site where I have one main PHP
script that examines all URLs and sends the request to an appropriate
other script to handle.

www.example.com/this/is/a/long/url

I want all paths at example.com to be handled by one PHP script. That
script should receive the request above, and any other. Then that
script looks at the path information, and decides that long_url_path.php
is the script to handle it, and dispatches (or just calls)
long_url_path.php.

Note I want a server side dispatch, not client side redirect. I don't
want to use HTTP status 300's please.

Buried is my question is concerns about security. How do I stop users
from calling scripts directly when they should have no access to that
script? I'd like to hide the path information, as well as prevent them
from ever even guessing the path (by typing random strings in the path
portion of the URL for example, ie. a brute force attack).

Any pointers? I'll take an "RTFM" if it's accompanied by a link to the
appropriate section of the FM. ;)

Re: Filtering / Dispatch for PHP?

am 12.04.2008 22:12:51 von piotr

Mark Space wrote:
> Hey all,
>
> I'm having a bear of a time locating any information on how PHP might
> handle URL filtering and dispatching.
>
> For example, let's say I have a web site where I have one main PHP
> script that examines all URLs and sends the request to an appropriate
> other script to handle.
>
> www.example.com/this/is/a/long/url
>
> I want all paths at example.com to be handled by one PHP script. That
> script should receive the request above, and any other. Then that
> script looks at the path information, and decides that long_url_path.php
> is the script to handle it, and dispatches (or just calls)
> long_url_path.php.
>
> Note I want a server side dispatch, not client side redirect. I don't
> want to use HTTP status 300's please.
>
> Buried is my question is concerns about security. How do I stop users
> from calling scripts directly when they should have no access to that
> script? I'd like to hide the path information, as well as prevent them
> from ever even guessing the path (by typing random strings in the path
> portion of the URL for example, ie. a brute force attack).
>
> Any pointers? I'll take an "RTFM" if it's accompanied by a link to the
> appropriate section of the FM. ;)

There is no such feature in PHP alone, you need to force your webserver
to do that, if you use Apache, the right way is to use mod_rewrite and
..htaccess files.

FM:
http://httpd.apache.org/docs/2.0/howto/htaccess.html

short version:
..htaccess file contents
RewriteEngine on
RewriteRule !\.(js|ico|gif|jpg|png|css)$ index.php

best regards
Piotr Nastaly

Re: Filtering / Dispatch for PHP?

am 13.04.2008 00:10:39 von Mark Space

Piotr wrote:

> There is no such feature in PHP alone, you need to force your webserver
> to do that, if you use Apache, the right way is to use mod_rewrite and
> .htaccess files.
>
> FM:
> http://httpd.apache.org/docs/2.0/howto/htaccess.html


Succinctly answered. Thank you!

Re: Filtering / Dispatch for PHP?

am 13.04.2008 12:09:06 von piotr

Mark Space wrote:
> Piotr wrote:
>
>> There is no such feature in PHP alone, you need to force your webserver
>> to do that, if you use Apache, the right way is to use mod_rewrite and
>> .htaccess files.
>>
>> FM:
>> http://httpd.apache.org/docs/2.0/howto/htaccess.html
>
>
> Succinctly answered. Thank you!
On the second though, I think I gave you bad link.. :
http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html

but you seem to be smart enough to find it yourself by this time

best regards
Piotr Nastaly

Re: Filtering / Dispatch for PHP?

am 14.04.2008 07:43:33 von Mark Space

Piotr wrote:
> Mark Space wrote:
>> Piotr wrote:
>>
>>> There is no such feature in PHP alone, you need to force your webserver
>>> to do that, if you use Apache, the right way is to use mod_rewrite and
>>> .htaccess files.
>>>
>>> FM:
>>> http://httpd.apache.org/docs/2.0/howto/htaccess.html
>>
>> Succinctly answered. Thank you!
> On the second though, I think I gave you bad link.. :
> http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html
>
> but you seem to be smart enough to find it yourself by this time
>
> best regards
> Piotr Nastaly

Your first link was closer to what I really needed, but mod_rewrite is
interesting and useful too. I'm still learning how to deal with Apache
directly rather than through some sort of CMS. Thanks again.