I have a question in my mind that how mod_rewrite increases the security.
I have a my php file which shows a .pdf file online like www.exaple.com?id=234 and it makes a query to database and get the actual folder location.
the actual folder location is uploads/ and i am using something like how to hide the actual folder location
Now i want to use google docs
echo "<iframe src=\"http://docs.google.com/gview?url=".root."uploads/myfile.pdf"."&embedded=true\" style=\"width:100%; height:100%;\" frameborder=\"0\"></iframe>
but i don't want to show the upload directory uploads/ in this url.So i use module_rewrite to change the directory name to myfiles/ .
The question is that when user changes the directory to www.example.com/myfiles/hacking.php than it will also rewrite to uploads/hacking.php.
I am allowing user to upload files.although i am using blacklist but we assume that security holes may present
Don't put the file in a web accessible location. Keep it someplace out of the www root, and have a script to open, read and output the file to the browser.
That way, even if it is a php file, only the content will be sent down and will not be executed.
Rewriting a url to hide a path is useless.
In the end you have a URL that the user can use. A request will send him the resource. Whats the difference if he requests example.com/?fileid=123 instead of example.com/uploads/file123.ext?
Yes, putting stuff in parameters forces you to use a script to fetch and send the resource. Using something that looks like a path only allows you to use this script. But it can be used, and nothing of this improves security. Not using a script means not being able to check if the user requesting the resource is allowed to, but for public resources this is no issue.
What are you really trying to do? Your security problem is to check whether malicious content was uploaded? If you allow uploading executables, and additionally allow them to be executed, you are doomed. Rewriting any URL does not help in any way.
Check what is uploaded. Prevent this stuff from being executed on your server.
When it comes to using the URLs discussed here, the situation should be like this:
If without rewriting you would reference /uploads/example.pdf, using rewriting should transform this url into something else, and disable the original url! If you still can get the stuff via the uploads folder, your rewrite is wrong.
If it is right, you are not in any need to use the old uploads url, because it does not work anymore.
