jas511

Hi, I have a form on my web page and I do some server side validation. If the validation fails, I redirect the user back to the form page. I want the original form data they entered to be there, so I've passed it back in the querystring. However, if the field contains special characters like #, the field does not populate properly. The problem is with mod rewrite (I think). It decodes the URL automatically. I can remedy this problem by encoding the form values twice before I redirect, but that's ugly because it turns # into %25%23 instead of %23. I've tried using the NE flag in mod rewrite rule, but no such luck. Any ideas here? thanks.

Thanks for the input. Seems like there might be a lot of wasted bandwidth there though...

Hi - I have a script that uploads an image to a server. But I'd like the user to be able to preview the image (along with some other text) before submitting. I'm not really sure how to create the preview page for the image. Usually for a form I'll store the data in hidden fields but I don't know how to do that with files. Maybe I could use session variables, but I'm wondering if that's the way to go. Thanks, Jeff

Thanks Ben. I think what I've decided is that I'm going to have the server treat this one HTML page as php so a user will still see index.html but it will be php under the hood. Thanks.

Thanks for the blunt response. Can you point me to some sources on how that can be spoofed?

Is the $_SERVER["REQUEST_URI"] a "safe" variable (i.e. can it be spoofed like HTTP_REFERRER)?

Yes, but I get an access denied error when the user is redirected to index.php from www.mysite.com/index (I also get an access denied error when they access it directly which is what I wanted, but I wanted it to work if passed along by mod rewrite).

He is me! Anyway, all I'm saying is that by direct access I mean I don't want the user to type the page directly but I do want to allow it to be accessed directly (by a redirect via mod rewrite). I'm just trying to prevent the user from finding out that it has a PHP page extension (no need to expose what the technology is). I've found that I can use the htaccess file in that particular directory to make the file an html file and have the server treat it as though it is php. I can do that just for that home page so even if the user does guess index.htm, that's okay with me.

I appreciate the reply but I'm not sure how this solves the issue. If the user types http://www.mysite.com/index or whatever, the user is redirected to index.php by mod rewrite. In this case the session variable is still null, so no access.

Fair point DarkWater. From a web application perspective, I come from a Java background which is all about portability and security, so there are a lot of measures already built in. Just curious more as a learning activity to see if there is a way to prevent this. For example, if I go to google's home page, is there any way to determine what language they are using or to directly access their pages?

I'm really just trying to prevent people from figuring out that I'm using PHP - this will help with transitioning to a new technology in the future and it reveals less information from hackers.

Hi, I was wondering if there was a way to prevent direct access to my main index.php file. The index.php file is really just a front controller that includes the other content pages as necessary and those content files are all protected. I've used mod rewrite to redirect http://www.mysite.com/main to index.php but that doesn't stop users from directly accessing index.php. I've tried techniques such as rewriting away from the page if the request URI is not internal or if the referrer is not internal, but I'm pretty sure both of these can be spoofed pretty easily (I know for sure referrer can). Is there any way to basically place the files in a web inaccessible directory that can be accessed by the server but not by outside users (like a WEB-INF directory for Java apps)? Thanks, Jeff