Reputation: 2476
How secure is URL rewriting?
This is possibly a duplicate question, but I am unable to find the other one if it is.
I was looking for advice on how secure url rewriting is? Does it stop SQL injection, or XSS? If not, how would one circumvate it?
The reason I ask is because I am unsure of the process that rewriting takes. Am I right in believing that this URL could effectively be dangerous:
http://www.website.com/article/1' UNION ALL...
Upvotes: 1
Views: 2752
Answers (5)
Reputation: 1
URL rewriting has feature called 'Request blocking'. You can use this feature to scan and prevent 3rd party tools sending spoof requests.
Upvotes: 0
Reputation: 38
But for SQL Injection based only on the $_GET variable, if we use this:
RewriteRule ^([a-z])-([0-9]).html$ /index.php?page=$1&id=$2 [L]
Is the $_GET["id"] variable injectable? We are forcing the value with only integer.
Upvotes: 0
Reputation: 56717
URL rewriting doesn't have anything to do with preventing SQL injections! URL rewriting is mostly used to turn "ugly" URLS (like http://domain.com/index.php?name=1&value=2) into pretty URLs like http://domain.com/1/2).
It doesn't prevent SQL injection at all. SQL injection must be prevented by making sure that user inputs do not contain characters that modify an SQL statement so that it does things that were not intended. Example:
You have an SQL Statement like:
SELECT * FROM $tableName;
And $tableName is a parameter that is entered by the user through a web form. Now the user could enter Users; DROP TABLE Users; --. This would be bad:
SELECT * FROM Users; DROP TABLE Users; --;
This, however, can not be solved by URL rewriting.
Upvotes: 3
Reputation: 3529
URL rewriting and security are two different things. The URL rewrite simply changes the presentation of variables in the url but does not secure at all. We must secure the variables in your code after you recover from the url.
Upvotes: 1
Reputation: 11
no, URL rewrite couldn't prevent XSS or SQL Injection.
If you want to avoid SQL Injection, use DBI Library (with prepare/execute statement) in your code.
If you want to avoid XSS Attack, please filter your user input in your code, too.
Upvotes: 1
Related Questions
- Pervasive URL rewrite?
- How to ensure server security when mod_rewrite is enabled
- URL Rewriting vulnerability
- Could a manipulated URL cause security issues inside a RewriteRule?
- Safe Alternative To mod_rewrite
- Mod rewrite urls with
- Can I rely on mod_rewrite?
- Is this Rule a sufficient protection from that security hole?
- How secure is mod_rewrite on .htaccess
- Is it safe to rely on mod_rewrite for SEF urls?