With Apache's mod_rewrite module I can keep *.php files and load them as
*.html files:

# Make http//example.com/foo/bar.html load /home/site/foo/bar.php
RewriteEngine On
RewriteRule ^(.*)\.html$ $1.php [L]

But, is there any elegant way to prevent direct access to
"http//example.com/foo/bar.php"? No matter the "L" flag, all *.html
requests get parsed again with any *.php rule I write, even though the
rewriting does not force a browser redirect and even if I use the NS
flag :-?

I still can restrict it in PHP itself (I can think of checking the value
of $_SERVER['REQUEST_URI']), but I'd like to understand why L and NS do
not work as I expected.


Sorry if this is kinda offtopic but my news server does not provide any
Apache group.


--
-- http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
-- Mi sitio sobre programación web: http://bits.demogracia.com
-- Mi web de humor al baño María: http://www.demogracia.com
--

Álvaro G. Vicario wrote:
> With Apache's mod_rewrite module I can keep *.php files and load them as
> *.html files:
>
> # Make http//example.com/foo/bar.html load /home/site/foo/bar.php
> RewriteEngine On
> RewriteRule ^(.*)\.html$ $1.php [L]
>
> But, is there any elegant way to prevent direct access to
> "http//example.com/foo/bar.php"? No matter the "L" flag, all *.html
> requests get parsed again with any *.php rule I write, even though the
> rewriting does not force a browser redirect and even if I use the NS
> flag :-?
>
> I still can restrict it in PHP itself (I can think of checking the value
> of $_SERVER['REQUEST_URI']), but I'd like to understand why L and NS do
> not work as I expected.
>
>
> Sorry if this is kinda offtopic but my news server does not provide any
> Apache group.
>
>

You can always get the Apache newsgroups through Google Groups. And
I've found most news servers will add groups if you ask them nicely -
they just need to know the newsgroup is wanted.

As for your question - it is NOT a good idea to parse all .html files as
..php, anyway. It puts an unnecessary load on the server. Just keep php
code in .php files. You'll find it works much better.


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Jerry Stuckle escribió:
> As for your question - it is NOT a good idea to parse all .html files as
> .php, anyway. It puts an unnecessary load on the server. Just keep php
> code in .php files. You'll find it works much better.

There aren't any plain HTML files in the site: they all use PHP to
compose the page including headers, footers and the like (plus headers
for client-side caching: site contents are not actually dynamic).
Currently, I code in *.html files and get them all parsed as PHP but
it's annoying because I have to tell my text editor to use PHP syntax
highlighting for *.html files... but only for that project! Furthermore,
if I ever add a plain HTML file I can't distinguish it easily.

I thought mod_rewrite could be an elegant solution but I'm disappointed
with my lack of understanding of its internals.

If I completely omit extensions (http://example.com/foo/bar) the issue
is the same: I can't prevent http://example.com/foo/bar.php from loading.



--
-- http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
-- Mi sitio sobre programación web: http://bits.demogracia.com
-- Mi web de humor al baño María: http://www.demogracia.com
--

On 28 Apr, 11:54, "Álvaro G. Vicario"
<alvaroNOSPAMTHA...@demogracia.com> wrote:
> Jerry Stuckle escribió:
>
> > As for your question - it is NOT a good idea to parse all .html files as
> > .php, anyway. It puts an unnecessary load on the server. Just keep php
> > code in .php files. You'll find it works much better.
>
> There aren't any plain HTML files in the site: they all use PHP to
> compose the page including headers, footers and the like (plus headers
> for client-side caching: site contents are not actually dynamic).
> Currently, I code in *.html files and get them all parsed as PHP but
> it's annoying because I have to tell my text editor to use PHP syntax
> highlighting for *.html files... but only for that project! Furthermore,
> if I ever add a plain HTML file I can't distinguish it easily.
>
> I thought mod_rewrite could be an elegant solution but I'm disappointed
> with my lack of understanding of its internals.
>
> If I completely omit extensions (http://example.com/foo/bar) the issue
> is the same: I can't preventhttp://example.com/foo/bar.phpfrom loading.
>
> --
> --http://alvaro.es- Álvaro G. Vicario - Burgos, Spain
> -- Mi sitio sobre programación web:http://bits.demogracia.com
> -- Mi web de humor al baño María:http://www.demogracia.com
> --

Wouldn't it be simpler to just rename all your files as .html and
setup the PHP handler to process them?

C.

Álvaro G. Vicario wrote:
> Jerry Stuckle escribió:
>> As for your question - it is NOT a good idea to parse all .html files
>> as .php, anyway. It puts an unnecessary load on the server. Just
>> keep php code in .php files. You'll find it works much better.
>
> There aren't any plain HTML files in the site: they all use PHP to
> compose the page including headers, footers and the like (plus headers
> for client-side caching: site contents are not actually dynamic).
> Currently, I code in *.html files and get them all parsed as PHP but
> it's annoying because I have to tell my text editor to use PHP syntax
> highlighting for *.html files... but only for that project! Furthermore,
> if I ever add a plain HTML file I can't distinguish it easily.
>
> I thought mod_rewrite could be an elegant solution but I'm disappointed
> with my lack of understanding of its internals.
>
> If I completely omit extensions (http://example.com/foo/bar) the issue
> is the same: I can't prevent http://example.com/foo/bar.php from loading.
>
>
>

And you will NEVER have any static pages on the site?

Why are you going to all of the trouble, anyway. PHP works fine as .php
files. You cause yourself and the server to run through all kinds of
hoops to parse them as .html files.

But if you insist, try alt.apache.configuration - available on Google
Groups.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Álvaro G. Vicario wrote:
> Jerry Stuckle escribió:
>> As for your question - it is NOT a good idea to parse all .html files
>> as .php, anyway. It puts an unnecessary load on the server. Just
>> keep php code in .php files. You'll find it works much better.
>
> There aren't any plain HTML files in the site: they all use PHP to
> compose the page including headers, footers and the like (plus headers
> for client-side caching: site contents are not actually dynamic).
> Currently, I code in *.html files and get them all parsed as PHP but
> it's annoying because I have to tell my text editor to use PHP syntax
> highlighting for *.html files... but only for that project! Furthermore,
> if I ever add a plain HTML file I can't distinguish it easily.
>
> I thought mod_rewrite could be an elegant solution but I'm disappointed
> with my lack of understanding of its internals.
>
> If I completely omit extensions (http://example.com/foo/bar) the issue
> is the same: I can't prevent http://example.com/foo/bar.php from loading.
>
>
>

Oops - I think I misread what you are doing (twice!).

If I understand this correctly now, you have your PHP code in .php
files, and have Apache set up to load those PHP files if the equivalent
..html is called. This would be OK.

But you don't want the .php files to be able to be loaded directly. I'm
not sure what difference it makes - does it cause a problem to load the
..php file?

From the PHP end, yes, you can restrict access. But if you want to do
it with mod_rewrite, you really need to be following up on an Apache
newsgroup. You'll get expert answers there.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Jerry Stuckle <jstucklex@attglobal.net> wrote:
>
>Oops - I think I misread what you are doing (twice!).
>
>If I understand this correctly now, you have your PHP code in .php
>files, and have Apache set up to load those PHP files if the equivalent
>.html is called. This would be OK.
>...
>But you don't want the .php files to be able to be loaded directly. I'm
>not sure what difference it makes - does it cause a problem to load the
>.php file?
>
> From the PHP end, yes, you can restrict access. But if you want to do
>it with mod_rewrite, you really need to be following up on an Apache
>newsgroup. You'll get expert answers there.

mod_rewrite is one of those magical products that can be configured to do
practically anything (like Sendmail). And like most such products, it is
difficult to get right.

However, I think this will do what the original poster wanted:

RewriteEngine On
RewriteRule ^(.*)\.php$ $1.php [R=404,L]
RewriteRule ^(.*)\.html$ $1.php [L]

That says PHP references should redirect to a 404, and HTML references
should be rewritten to PHP.
--
Tim Roberts, timr@probo.com
Providenza & Boekelheide, Inc.

Tim Roberts escribió:
> RewriteEngine On
> RewriteRule ^(.*)\.php$ $1.php [R=404,L]
> RewriteRule ^(.*)\.html$ $1.php [L]
>
> That says PHP references should redirect to a 404, and HTML references
> should be rewritten to PHP.

It doesn't work either because when I request foo.html I'm silently
redirected to foo.php, rewriting starts again and first rule generates a
Not Found status code.

Thank you for your suggestion but it's really tricky!

I've asked my newsmaster if I can get "alt.apache.configuration" added
to the groups lists (Google Groups is okay but it does not allow e-mail
obfuscation) but I guess I'll implement this as is and I just won't care
about direct access to *.php files (or I'll check
$_SERVER['REQUEST_URI'] and generate the 404 status in PHP). Your
comparison of mod_write with Sendmail has scared me to the bone ;-)


--
-- http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
-- Mi sitio sobre programación web: http://bits.demogracia.com
-- Mi web de humor al baño María: http://www.demogracia.com
--

Álvaro G. Vicario a écrit :
> Tim Roberts escribió:
>> [L]
> rewriting starts again

Or not, L flag stands for Last, it shouldn't start again and directly
serve the request, i.e. foo.php.

Regards,
--
Guillaume

..oO(Guillaume)

>Álvaro G. Vicario a écrit :
>> Tim Roberts escribió:
>>> [L]
>> rewriting starts again
>
>Or not, L flag stands for Last, it shouldn't start again and directly
>serve the request, i.e. foo.php.

The L flag means that no further rules are evaluated for the _current_
request, but if some rewriting action triggers an internal redirect,
then the entire process starts again from the first RewriteRule.

Micha

�lvaro G. Vicario schrieb:
> Tim Roberts escribió:
>> RewriteEngine On
>> RewriteRule ^(.*)\.php$ $1.php [R=404,L]
>> RewriteRule ^(.*)\.html$ $1.php [L]
>>
>> That says PHP references should redirect to a 404, and HTML references
>> should be rewritten to PHP.
>
> It doesn't work either because when I request foo.html I'm silently
> redirected to foo.php, rewriting starts again and first rule generates a
> Not Found status code.
>
> Thank you for your suggestion but it's really tricky!
>
> I've asked my newsmaster if I can get "alt.apache.configuration" added
> to the groups lists (Google Groups is okay but it does not allow e-mail
> obfuscation) but I guess I'll implement this as is and I just won't care
> about direct access to *.php files (or I'll check
> $_SERVER['REQUEST_URI'] and generate the 404 status in PHP). Your
> comparison of mod_write with Sendmail has scared me to the bone ;-)
>
>

If you want to deny execution of php scripts, you can put them outside
of the web space.

If your php script you want to protect is inside the web space, you can
deny access in the .htaccess file. This is handy for include-only
directories.

Max

M. Strobel wrote:
> �lvaro G. Vicario schrieb:
>> Tim Roberts escribió:
>>> RewriteEngine On
>>> RewriteRule ^(.*)\.php$ $1.php [R=404,L]
>>> RewriteRule ^(.*)\.html$ $1.php [L]
>>>
>>> That says PHP references should redirect to a 404, and HTML references
>>> should be rewritten to PHP.
>>
>> It doesn't work either because when I request foo.html I'm silently
>> redirected to foo.php, rewriting starts again and first rule generates
>> a Not Found status code.
>>
>> Thank you for your suggestion but it's really tricky!
>>
>> I've asked my newsmaster if I can get "alt.apache.configuration" added
>> to the groups lists (Google Groups is okay but it does not allow
>> e-mail obfuscation) but I guess I'll implement this as is and I just
>> won't care about direct access to *.php files (or I'll check
>> $_SERVER['REQUEST_URI'] and generate the 404 status in PHP). Your
>> comparison of mod_write with Sendmail has scared me to the bone ;-)
>>
>>
>
> If you want to deny execution of php scripts, you can put them outside
> of the web space.
>
> If your php script you want to protect is inside the web space, you can
> deny access in the .htaccess file. This is handy for include-only
> directories.
>
> Max
>

Which is not his question...

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================