2

Quick one:

I'm curious if anyone knows of certain circumstances under which $_SERVER['REQUEST_URI'] would contain a different value than $_GET['_uri'], given the following .htaccess for the latter:

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ ?_uri=$1 [L,QSA]

I've been using the latter method $_GET['_uri'], and while I'm aware that mod_rewrite would still be necessary, I'd like to get away from storing the URI as a query parameter.

Well, I've found one I didn't notice before; when the application bootstrap to which mod_rewrite forwards is not in the root web directory, $_SERVER['REQUEST_URI'] contains the parent directories, whereas $_GET['_uri'] only contains the latter URI component. Example:

Bootstrap is /subdir/index.php
Requesting http://localhost/subdir/foo/bar/baz/

$_SERVER['REQUEST_URI']  "/subdir/foo/bar/baz/"
$_GET['_uri']            "foo/bar/baz/"

In order to replicate the result of $_GET['_uri'], decided to use this:

$prefix = trim(dirname(strtr($_SERVER['PHP_SELF'], '\\', '/')), '/') . '/';
$uri = trim($_SERVER['REQUEST_URI'], '/') . '/';
if(substr($uri, 0, strlen($prefix)) == $prefix){
    $uri = substr($uri, strlen($prefix));
}

But I've not used $_SERVER['PHP_SELF'] often in the past, and now have read that it carries certain vulnerabilities and/or inconsistencies with it's use.

Dan Lugg
  • 20,192
  • 19
  • 110
  • 174

1 Answers1

3
http://example.com/meow?param=value&_uri=hihihi
  • Expected $_GET['_uri'] result: meow
  • Actual result: hihihi
  • $_SERVER['REQUEST_URI'] value: /meow?param=value&_uri=hihihi
  • $_SERVER['REDIRECT_URL'] value: /meow

All because of [QSA] flag.

Use $_SERVER['REQUEST_URI'] and/or $_SERVER['REDIRECT_URL'] instead.

The above is for Apache. On IIS 7.x it may be a bit different.

hakre
  • 193,403
  • 52
  • 435
  • 836
LazyOne
  • 158,824
  • 45
  • 388
  • 391
  • Thanks @LazyOne - This is why I'm moving away from it, I need `QSA` for other reasons, namely being able to override other application query parameters (*request type `api`/`web` for instance*). However, do you know of any other issues like as mentioned in my edit? – Dan Lugg Jul 06 '11 at 00:03
  • @TomcatExodus Those are the only 2 that I'm aware of. I'm usually have to worry about one that I have mentioned as I simply keep ALL rewrite rules in a single place -- either inside <`VirtualHost>` or .htaccess in a root folder. – LazyOne Jul 06 '11 at 00:13
  • Awesome, thanks @LazyOne - I'll let the question sit for awhile, but I can't seem to find any other issues either. I'll mark accepted after I give others a chance to chime in. – Dan Lugg Jul 06 '11 at 00:21