NYCPHP Meetup

NYPHP.org

[nycphp-talk] not including '.php' in URI

Kenneth Dombrowski kenneth at ylayali.net
Tue Mar 21 16:26:35 EST 2006


On 06-03-21 13:55 -0500, Chris Shiflett wrote:
> Dan Horning wrote:
> > it's not a matter of making things faster, b/c it won't, I've
> > tried, but in actuality you create excessive opportunities for
> > security breaches, why on earth would you want to make your
> > life harder.
> 
> Can you substantiate that claim? My web sites don't use file extensions, 
> but I doubt you can convince me that this increases my security risk.
> 

well, I'm not sure what Dan was thinking, but my first reaction to
"parse every file as php" was to think of an image containing the string
'<?', text files containing sample code, etc, and then the obvious
implications of accepting any content files from third parties anywhere.
The only way I know of to convince apache to do that is ForceType, which
could be safe if it was deployed carefully, sure, but I agree it would
introduce a risk.  I also think it's a really ugly way to do it, whether
there's a security risk or not (and I'm pretty sure nobody said they
were doing it that way anyway), but that's a matter of opinion

I've been experimenting with doing this for one small site using
RewriteRules in an .htaccess file: 

RewriteRule ^account$               account.php [NC,L]
RewriteRule ^account/edit$          account.php?action=edit [NC,L]
RewriteRule ^catalog/recent$        catalog.php?filter=recent [NC,L]

And I've been pretty happy with the friendliness of it.  Yes, it is a huge
headache to debug, and yes, using .htaccess files & RewriteRules will slow
apache down a bit, but we don't mind.  We didn't have any motive other
than the user-friendliness one 





More information about the talk mailing list