-1

I know this answer is most answered, but i can't find the solution for me. I have written an .htaccess file for url rewriting. I have some pages whit GET url, like:

example.com/home.php?page=profile

example.com/home.php?page=forum

example.com/home.php?page=product&id=1

I need to redirect from example.com/home.php?page=forum to example.com/home/forum

So, this is the htaccess

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{HTTP_HOST} ^example\.com [NC] 
RewriteRule ^(.*)$ http://www.example.com/$1 [L,R=301]
RewriteRule ^/home/([A-Za-z0-9-]+)/?$ home.php?page=$1 [L,R=301]


SecFilterEngine Off

<Files .htaccess>
order allow,deny
deny from all
</Files>

Options All -Indexes

When i type in the URL: example.com/home/forum, I've been redirect to example.com/home.php?page=forum so, the reverse functiom. What I'm doing wrong?

fmineo
  • 804
  • 3
  • 11
  • 28
  • What is happening instead of working correctly? I notice you have a leading `/` on `/home`, but in .htaccess context, the `/` won't be matched. The URI from that perspective is just `home/profile` rather than `/home/profile`. – Michael Berkowski Mar 09 '15 at 13:23
  • Now it work reverse: if i go to example.com/home/profile redirect me to example.com?page=profile. I need the reverse function – fmineo Mar 09 '15 at 13:28
  • 1
    Please edit your question then to show exactly the input URL a browser sends, the URL Apache processes internally, and the output URL that ultimately appears in the browser address bar. – Michael Berkowski Mar 09 '15 at 13:30

2 Answers2

1

I am not not in the least experienced with mod_rewrite, and regularly have a hard time with every part of server configuration, so I cheat where it's possible. Therefore I used the following superb web-based-rewrite tool: Mod Rewrite Generator

RewriteRule ^home/([^/]*)$ /home.php?page=$1

I interpret the generated pattern like this: Search for something after the protocol/domain part that resembles the word home followed by a slash followed by everything except a second slash (so /home/forum/1 won't be recognized). Replace it with the /home.php?page=forum where $1 is a back-reference to the capturing group "everything but slash". You have to fiddle around to suit it to your needs.

If you want your second use case (additional id parameter) covered add another rule:

RewriteRule ^home/(.*)/(.*)$ /home.php?page=$1&id=$2

I think we all have to dig a little deeper. If you google it, many sources will tell you of the importance, when deciding between R=301 and 302, as your choice will have an impact on the google web crawlers. You can find a compact intro/guide right here: Hidden features of mod_rewrite. Because of that guide I removed [L,R=301].

I don't expect any upvotes from you, as I feel the answer isn't complete and the code is to simplistic for your needs. In addition I used an external tool.

Edit (by Drew):

Caution should be taken in passing parameters of any sensitive data as described by this Troy Hunt article and an image in it seen below:

enter image description here

Even with SSL activated, parameters are visible througout the server hop to the destination server. As opposed to http POST data.

Community
  • 1
  • 1
JackLeEmmerdeur
  • 724
  • 11
  • 17
  • Thanks for sharing the online reference. Be careful not to ever use for sensitive parameter passing such as credentials. Or frankly anything sent in the clear you wish wasn't. If you would like a reference as to why, I can pass along the url. – Drew Dec 17 '15 at 00:07
  • @Drew: Actually no need to be thankful, since I didn't write the guide (but I'd be happy if I'd knew that much of the arcanum of mod_rewrite). Sure, post some reference, to clarify your hint to the parameter passing. ATM I use hiawatha (it is relatively hardened for security), but I will sure use apache from time to time. – JackLeEmmerdeur Dec 17 '15 at 01:25
  • @Drew: No prob. Take your time. We still don't know if my proposal worked with this question. I remember I tested it locally and it did. But it could be another problem with the configuration. – JackLeEmmerdeur Dec 17 '15 at 01:35
  • I edited your Answer around the time you posted that. Plus, I am talking to the generality of the concept, versus making a particular op happy with the answer. It is for hundreds of more eyes that follow that I generally think about – Drew Dec 17 '15 at 01:40
  • Ty for editing. An exiting and insightful read. Nomen est omen for the Mr. Hunt. The most relevant parts of his report, related to this question are, I guess: 1. You generally should not pass delicate user info via GET-Parameters and 2. A URL-Rewrite won't hide the GET-Parameters anywhere. Addtional lessons: 1. Passwords should be saved and passed in hashed form. Login Forms should in no way reveal if an failed attempt to log in was because of a wrong username/email. Sorry for the scammed users. – JackLeEmmerdeur Dec 17 '15 at 02:28
  • I am not sure about the "sensitive info should be sent by hash". Rather, send nothing useful for [man-in-the-middle](https://en.wikipedia.org/wiki/Man-in-the-middle_attack) *MITM* via url parameters, and send the payload via SSL/TLS. As for MITM, I do not mean that in normal crypto terminology. Rather, once the credentials are acquired, there is no *middle* anymore. They are free to just penetrate as their own end-point – Drew Dec 17 '15 at 02:34
0

Insert these 2 rules below www removal:

RewriteCond %{THE_REQUEST} \s/+home\.php\?id=([^\s&]+) [NC]
RewriteRule ^ /home/%1? [R=302,L,NE]

RewriteRule ^home/([A-Za-z0-9-]+)/?$ home.php?page=$1 [L,QSA]

Also keep Options like as:

Options +FollowSymLinks -MultiViews
anubhava
  • 761,203
  • 64
  • 569
  • 643