NYCPHP Meetup

[Mikko Rantalainen]

Stefan Klopp wrote:
> I wanted to get your feedback on the best (and
> securest) way to do friendly URL's. I currently have
> implemented a simple one that basically appends
> directories onto the end of the php file, for example:
> 
> http://www.example.com/script.php/variable1/variable2/

You might want to try something like

<Location /script>
SetHandler application/x-httpd-php
AcceptPathInfo On
</Location>

and just drop the ".php" extension from your script.php or just put 
the whole file outside the server root and create a symbolic link 
between those two. Put the above declaration in a file and drop it 
in /etc/httpd/conf.d/99_whatever.conf (assuming that you're using a 
recent Apache).

> To get the variables I am splitting on / in the
> $_SERVER['PATH_INFO']. This appears to work quite well
> for me. However the only problem I am facing now is
> when my page has included header information such as
> CSS or javascript. Since the includes are not full URL
> they try to find the files in:
> 
> http://www.example.com/script.php/variable1/variable2/
> 
> instead of in:
> 
> http://www.example.com/

Cannot you just use

<script src="/any/path/you/like/script.js" ...>
and
<link href="/your/style.css" ...>

Or you could do it like I do:

global $CONFIG;
$scripts = $CONFIG["scripts_external_path"];
$styles = $CONFIG["styles_external_path"];

$template = <<<EOL
...
<script src="$scripts/script.js" ...>
<link href="$styles/style.css" ...>
...
EOL;

This way you can keep the information about where the files should 
be found in your PHP script. Put the required files anywhere you 
like and modify

> Now I know I can do this via mod_rewrite but I would
> rather keep it all in the php. So one way I found
> around this was to put:
> 
>         $path = preg_split("/\//",
> $_SERVER['PATH_INFO']);
>         $file = array_pop($path);
>         if (preg_match("/\.(js)$/", $file)) {
>             include($file);
>             exit;
>         }
>         if (preg_match("/\.(jpg|gif|png|css)$/",
> $file)) {
>             $extra_path = array_pop($path);
>             include($extra_path . "/" .$file);
>             exit;
>         }
> 
> Basically this just checks if the last block on the
> url is a file. If it is and is javascript simple
> include the file directly (from the current working
> dir). If it is a image or css file get the extra
> directory information then include the file. 
> 
> Now again this works for my current app, however I
> very much fear doing a dynamic include. Can anyone
> think of a better way to handle this?

I'd fear the dynamic include also. For example, even the above 
implementation a has possible security issue. If the user sends HTTP 
request "GET /script.php/../file.css" you would end up with 
$extra_path = ".." and $file = "file.css" and you would include 
"../file.css", which I guess wouldn't be always safe.

-- 
Mikko