0

This is my code for test.php

.

<?PHP
include("connect.php");
$id_val = mysqli_real_escape_string($db_mysqli,$_GET['id_val']);
echo $id_val;
?>

This is my mod rewrite code (.htaccess)

RewriteEngine on
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI}.php -f
RewriteRule ^(.*)$ $1.php [L]
RewriteRule ^test/([^-]*)$ /test.php?id_val=$1 [L]
DirectoryIndex index.php

When i tried to access

www.example.com/test/8-pi7Tvu66

It's not working. (It's will be redirect to index.php and not echo anything.)

But when i tried to access

www.example.com/test.php?id_val=8-pi7Tvu66

It's work good. (echo 8-pi7Tvu66)

How can i do for work good on mod rewrite URL ?

www.example.com/test/8-pi7Tvu66

...

Remark : I still tried to test on id_val that not contain (-) 

eg:
    www.example.com/test/8pi7Tvu66

And it's work good. (echo 8pi7Tvu66)

mamiw
  • 123
  • 4
  • 9
  • Don't rely on `mysqli_real_escape_string()` to prevent SQL injection, [it alone is not sufficient](https://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string). You should use prepared statements with bound parameters, via either the [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) drivers. [**This post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has some good examples. – Alex Howansky Oct 30 '17 at 14:51
  • i use `mysqli_real_escape_string` and `mysqli` it's can not protect me from SQL injection ? – mamiw Oct 30 '17 at 14:56
  • @mamiw It is not that it cannot protect you, it is that using `mysqli_real_escape...` is more difficult to "get correct". The generally accepted and easier/better method uses prepared statements. See @AlexHowansky's links. – hunteke Oct 30 '17 at 15:12

1 Answers1

0

Your RewriteRule has the following regex:

^test/([^-]*)$

which explicitly matches everything except a dash. You can change it to

^test/(.*)$

if you want it to match all characters.

iainn
  • 16,826
  • 9
  • 33
  • 40
  • So use `^test/(.+)$` is the better morethan `^test/([^-]*)$` ? – mamiw Oct 30 '17 at 14:55
  • If your issue is that `-` isn't working, then yes. This will add that character to the accepted list (since currently it's the only one that won't work). – iainn Oct 30 '17 at 14:56
  • When i use ^test/(.+)$ all sign are working on my code ? `EG: _ + -` ? – mamiw Oct 30 '17 at 14:59
  • Yes, `(.+)` matches **everything** – iainn Oct 30 '17 at 15:00
  • And it's will be make my site to hack ? – mamiw Oct 30 '17 at 15:03
  • I'm not sure why you're concerned about hacking. The only difference between the two expressions in my answer is that `-` will work in the second one - everything else is already valid in the first one. This answers your question. – iainn Oct 30 '17 at 15:04