URL Design

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

URL Design

Gordon McLean
Hi Guys

I have read a lot of posts on both this and other talk lists regarding  
Apache ReWrite

I have been trying to re design my URL encoding to make it more user/
spider friendly.  Having spent some time studying the various posts on  
the matter, I have frankly become progressively more confused, however  
have managed to get a result of sorts.

I would appreciate it if anyone who has a more in depth knowledge of  
this subject could comment on the approach and suggest where I may  
have overlooked key security details:

Platform: OSX Server/Apache
Lasso 8.5

Current URL format = http://www.domain.tld/?action=products&pid=1234

Whats wanted = http://www.domain.tld/products/1234

Using a post by Brad Lindsay I have added this rule to Apache to the  
virtual host file private/etc/apache2/sites/domain.tld.conf

RewriteEngine on
RewriteRule ^/go/([^/]+.*) /help/index.lasso [H=lasso8-handler]

Using Response_FilePath and split, I have been able to extract an  
array as follows

array: (), (go), (products), (1234)

I have an index page that will sort these results and handle the errors

I guess my question is, is this the correct method ?  are there  
obvious security issues I am overlooking ? etc

Many thanks

Gordon McLean

--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/

Reply | Threaded
Open this post in threaded view
|

Re: URL Design

Marc Pope
That is pretty close to what I do.. Here's my .htaccess file (below).  
This will send both /filename/  and /filename.html to the page called /
_engine.lasso and the  'p' parameter is sent with the current page path.

Also, this gets ignored if the page already exists.

Marc


AddHandler lasso8handler .html

RewriteEngine On

# only rewrite if request is not a real file
RewriteCond %{REQUEST_FILENAME} !-f

# only rewrite if request is not a real directory
RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule ^(.*)$ /_engine.lasso?p=/$1 [QSA,L,NS]



On Feb 2, 2009, at 3:42 PM, Gordon McLean wrote:

> Hi Guys
>
> I have read a lot of posts on both this and other talk lists  
> regarding Apache ReWrite
>
> I have been trying to re design my URL encoding to make it more user/
> spider friendly.  Having spent some time studying the various posts  
> on the matter, I have frankly become progressively more confused,  
> however have managed to get a result of sorts.
>
> I would appreciate it if anyone who has a more in depth knowledge of  
> this subject could comment on the approach and suggest where I may  
> have overlooked key security details:
>
> Platform: OSX Server/Apache
> Lasso 8.5
>
> Current URL format = http://www.domain.tld/?action=products&pid=1234
>
> Whats wanted = http://www.domain.tld/products/1234
>
> Using a post by Brad Lindsay I have added this rule to Apache to the  
> virtual host file private/etc/apache2/sites/domain.tld.conf
>
> RewriteEngine on
> RewriteRule ^/go/([^/]+.*) /help/index.lasso [H=lasso8-handler]
>
> Using Response_FilePath and split, I have been able to extract an  
> array as follows
>
> array: (), (go), (products), (1234)
>
> I have an index page that will sort these results and handle the  
> errors
>
> I guess my question is, is this the correct method ?  are there  
> obvious security issues I am overlooking ? etc
>
> Many thanks
>
> Gordon McLean
>
> --
> This list is a free service of LassoSoft: http://www.LassoSoft.com/
> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
> Manage your subscription: http://www.ListSearch.com/Lasso/
>


--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/

Reply | Threaded
Open this post in threaded view
|

Re: URL Design

CoMedia
In reply to this post by Gordon McLean
Gordon McLean wrote
 Hi Gordon,

I think this Tip of the Week describes exactly what you want using pure Lasso code:
http://www.lassosoft.com/Documentation/TotW/index.lasso?9136

-- Alfred

Reply | Threaded
Open this post in threaded view
|

Re: URL Design

Bil Corry-3
In reply to this post by Gordon McLean
Gordon McLean wrote on 2/2/2009 2:42 PM:
> I guess my question is, is this the correct method ?  are there obvious
> security issues I am overlooking ? etc

That will work (as you've already discovered).  I'm assuming the difference between the URL trigger you want (/products/) and the URL trigger in your example Apache directive (/go/) is just a copy/paste error.

As far as security, what comes to mind is make sure the URL is in a format you recognize and rejecting any that don't match (such as having too many or too few params).  Also be sure for the ID that you ensure it's a proper product ID and not XSS or SQLi bad stuff.  The other issue is if the product IDs are numerical, that you understand that someone can script a bot to crawl your entire catalog, incrementing the product ID by one on each hit.


- Bil


--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/