在共享主机Apache服务器上启用mod_rewrite [英] Enable mod_rewrite On Shared Hosting Apache Server

问题描述

我对客户网站进行了一些更改.
客户端不断受到SQL注入的攻击，此刻URL包含网站需要的变量(即index.php?filenmae = home.php).

I have made some changes to a clients website.
The client was continually being attacked using SQL injection, and at the moment the URL contains variables that the website needs (i.e. index.php?filenmae=home.php).

因此，在尽可能保护站点安全之后，我可以使用mysql_real_escape_strings和stripslashes，然后开始在Apache中进行URL重写.

So after securing the site as best I could using mysql_real_escape_strings and stripslashes, I then came to do URL rewriting in Apache.

目前，该网站当前所在的服务器不支持mod_rewrite(我已经使用phpinfo进行了检查)，并且它不是属于我们的服务器.我的.htaccess文件中有什么可以为该网站启用mod_rewrite的功能?

At the moment, the server the website is currently on doesn't support mod_rewrite (i've checked using phpinfo) and it's not a server belonging to us. Is there anything I can do in my .htaccess file that would enable mod_rewrite for this website?

推荐答案

Mick，最适合您的解决方案是更改代码.我猜想您的代码中会包含指定的文件名，例如

Mick, the best solution for you is to change your code. I'm guessing that in your code you then include the filename specified, e.g.

include $_GET['filename'];

简而言之，没有办法使用mod_rewrite来确保此安全.

In short, there is no way using mod_rewrite that you can make this secure.

但是，您可以通过检查文件名是否有效(例如

However, you can make it more secure very easily by checking that the filename is valid, e.g.

$valid_filenames = array('home.php', 'foo.php', 'bar.php', /* etc... */);
if (!in_array($_GET['filename'], $valid_filenames)) {
    echo "Invalid request.";
    exit;
}
include $_GET['filename'];

只需确保您在请求的文件名之前(包括该文件)验证，您的情况就会好得多.

Just make sure that you validate the requested filename before including it and you'll be much better off.

这篇关于在共享主机Apache服务器上启用mod_rewrite的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！