Enable mod_rewrite On Shared Hosting Apache Server

Question

I have made some changes to a clients website.
The client was continually being attacked using SQL injection, and at the moment the URL contains variables that the website needs (i.e. index.php?filenmae=home.php).

So after securing the site as best I could using mysql_real_escape_strings and stripslashes, I then came to do URL rewriting in Apache.

At the moment, the server the website is currently on doesn't support mod_rewrite (i've checked using phpinfo) and it's not a server belonging to us. Is there anything I can do in my .htaccess file that would enable mod_rewrite for this website?

Answer 1

For Shared Hosting Server , It Really Work.

• Create a file called .htaccess in your site's root folder.
• First line should be RewriteEngine On.
• Second line should be RewriteBase /.
• After that, put in your rewrite rules are required.

Answer 2

Mick, the best solution for you is to change your code. I'm guessing that in your code you then include the filename specified, e.g.

include $_GET['filename'];

In short, there is no way using mod_rewrite that you can make this secure.

However, you can make it more secure very easily by checking that the filename is valid, e.g.

$valid_filenames = array('home.php', 'foo.php', 'bar.php', /* etc... */);
if (!in_array($_GET['filename'], $valid_filenames)) {
    echo "Invalid request.";
    exit;
}
include $_GET['filename'];

Just make sure that you validate the requested filename before including it and you'll be much better off.

Answer 3

If mod_rewrite is installed, you can configure it in your local .htaccess file.

• Create a file called .htaccess in your site's root folder.
• First line should be RewriteEngine On.
• Second line should be RewriteBase /.
• After that, put in your rewrite rules are required.

If it isn't installed, you're out of luck - no web host will install extra software on a shared hosting box just for one client.

Answer 4

No, you cannot dynamically load mod_rewrite. Most hosting providers have mod_rewrite enabled on Apache servers. If they do not, you could ask them for enabling it. Otherwise, if you really need mod_rewrite, consider switching hosting providers.

As an alternative, you can rewrite URL's in PHP.

1. $_SERVER['QUERY_STRING'] can be used for getting the part after the question mark (http://example.com/file.php?this_part).
2. Split it by your preferred parameter separator (e.g. /, ;) using explode('/', $_SERVER['QUERY_STRING'])
3. Loop through the values, and split those using a preferred value separator (e.g. '=', ':')
4. Overwrite $_GET with an empty array, and put the newly generated values in it. Note: filter_input and related functions do not operate on $_GET. Thus, this method will not work for filter_input.