Web Hosting Forum | Lunarpages


*
Welcome, Guest. Please login or register.
Did you miss your activation email?


Login with username, password and session length
May 24, 2012, 09:51:28 AM

Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: URL manipulation ?  (Read 8224 times)
SJ
Intergalactic Superstar
*****
Offline Offline

Posts: 157
« on: May 02, 2011, 06:03:49 AM »
Hi I am trying to find a way to stop URL manipulation,

Not sure, but I think members might be using this method on my website to access certain "Membership priviledges" that they should not have access to (ie messaging)... by URL manipulation.

I searched and found this piece of code/text that goes into the htaccess file but when I add it... it creates an error.

# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})# Disable directory browsing
Options -Indexes
Options +FollowSymLinks

Can anyone help ? Any other ways they could be doing this ?

Cheers SJ9  Very Happy
« Last Edit: May 02, 2011, 06:50:03 AM by SJ » Logged
MrPhil
Senior Moderator
Berserker Poster
*****
Offline Offline

Posts: 5215
« Reply #1 on: May 02, 2011, 06:55:49 PM »
That won't do it. You need a RewriteRule to actually take some action, such as failing the request. You also need to enable the Rewrite Engine, if you haven't already done so:
Code:
Options -Indexes
Options +FollowSymLinks

RewriteEngine On
RewriteCond %{QUERY_STRING} _REQUEST # Disable directory browsing
RewriteRule . - [F]
This will trigger if _REQUEST appears anywhere in the URL Query part of your URL. I don't think you'll need the rest of what you had, but you might.
Logged
Visit My Site

E-mail Me
 
-= From the ashes shall rise a sooty tern =-
SJ
Intergalactic Superstar
*****
Offline Offline

Posts: 157
« Reply #2 on: May 03, 2011, 06:45:01 AM »
Hello and thanks Mr Phil,

I put what you said in the htaccess file, but this still causes a server error.

When you say "rewrite engine".....I have "mod_rewrite" enabled in my 'scripts' admin area, is this the "rewrite engine" ?....or is there something else I need to do to enable "rewrite engine" in my lunarpages hosting account ?

Thanks again,

SJ9 Thumbs Up.
Logged
MrPhil
Senior Moderator
Berserker Poster
*****
Offline Offline

Posts: 5215
« Reply #3 on: May 03, 2011, 06:28:24 PM »
1. You're on a Linux server, and not a Windows server? This won't work on Windows.
2. The file is .htaccess, not htaccess (note the period)?
3. .htaccess is in your site's root directory (what HTML sees as /, such as /home/ACCOUNTNAME/public_html/)?
4. What exact error are you getting?
5. If you erase or rename .htaccess to something else, does the error go away or change? That would suggest that it is this file that's the problem.
6. Is that the complete .htaccess file?
Logged
Visit My Site

E-mail Me
 
-= From the ashes shall rise a sooty tern =-
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to: