This code will examine the original incoming request, and reject direct requests for the page with a query string already attached. It should not affect your existing rewrite, because that won't change the request.

# Rewrite the homepage request to the query string version
RewriteRule ^homepage\.php$ /filename.php?var=homepage [L]
# But block direct requests for the query string version
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /filename\.php\?var=homepage
RewriteRule ^filename\.php$ - [F]

The patterns in the second rule look a bit redundant with "filename\.php" matched twice, but it's actually more efficient that way.

Jim

Your really good at this Jim and I hate to keep bothering you but I have just one more question,

Messing around earlier trying to get this to work I realised that a person can change my url and although unlikely it would be nice to know this could never happen, for example,

ht*p://www.webmasterworld.com/forum10/8030.htm?_webmaster_world_supports_boycotting_google
(I added the '*', but if you try it, it will work)

Imagine you have some innocent personal website like this,

ht*p://example.com/mykidspage.htm

Now imagine someone with a grudge against you tacking this onto your site and showing it to some local police officer. They could even tell the police officer to type it in himself and it would still work.

ht*p://example.com/mykidspage.htm?_get_nude_pics_by_emailing_me_at_myemail@exampledotcom

In the end you would be alright, I would hope, but imagine the local police busting in your house and taking your computer with a semi-legitimate reason. Kinda-scary.

Just to be on the safe side, since all my pages use rewriterule and I don't use either the '?' or the '$' symbols is there a way to search the "THE_REQUEST" for these and then just serve up an error page if they are included in the request?

That's a bit far-fetched, IMO, but this would reject any incoming URL with any query string:

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\?.
RewriteRule .* - [F]

The [A-Z]{3,9} is just a shorthand way of matching the HTTP methods in the request, from GET or PUT to PROPPATCH, btw.

Jim

The [A-Z]{3,9} is just a shorthand way of matching the HTTP methods in the request, from GET or PUT to PROPPATCH, btw.

Thanks, I was curious.

As for the code, it worked like a charm and is much appreciated but has, with my luck, created a few more questions.

RewriteRule ^search$ /filename.php?var=search [QSA,L]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\?.
RewriteRule .* - [F]
...rest of the rules below

I thought the "L=Last Rule" would "Stop the rewriting process here" but it just keeps returning a 403. I also tried using "S=1" and "S=2" to skip the following rule(s) with no luck.

I was also curious if there is a way to replace the 403 Forbidden with a customized 404 Error?

Thanks for all your help so far jim.

*edit - what I am trying

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\?.
RewriteRule ^(.*)$ /filename.php?var=error&var2=404 [L]

I am trying really hard to understand this, here is my logic so far,

RewriteCond is like using an "if" statement correct? So "if" condition exists apply following rewriterule. My rule is saying that ".*" is any character matched "N" number of times. If match is correct, then change request, which is ".*" to the following "/filename.php?var=error&var2=404".

So far I know that the condition is catching the "?" because under the way you gave me it returns a 403, so I have no reason to assume the problem is in that line so it must be something I am doing in the rewriterule. I'll keep trying and rereading the apache tutorial.

> I thought the "L=Last Rule" would "Stop the rewriting process here"

[L] does stop the processing of this pass through .htaccess. But Apache will then re-process httpd.conf and any .htaccess files in the new path, in order to apply any access-control restrictions or rewrites that may apply to the new path. Therefore, you should make sure that your rules will not match on a second pass through your code for this request. {THE_REQUEST} will never change, but the URL-path in {REQUEST_URI} and the URL-path seen by RewriteRule will be updated as a result of your rewrite.

> I was also curious if there is a way to replace the 403 Forbidden with a customized 404 Error?

Yes, rewrite the request to a non-existent path.

Jim

I've been toying with it for days now and finally got it to work using this,

RewriteCond %{THE_REQUEST}!^[A-Z]{3,9}\ /search.*$
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\?.*$
RewriteRule ^(.*)$ page.php?var=error [L]

The following line gave me the most problems,

RewriteRule ^(.*)$ /page.php?var=error [L]

When I removed the / it finally worked, why?

Also, is there a more effecient way to write this?