mod rewrite - how do I get rid of the question mark? - Apache Web Server forum at WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

mod rewrite - how do I get rid of the question mark?

Tim_Mousel

5:27 pm on Mar 4, 2008 (gmt 0)

Hi,

A question mark is appended to the end of all my url's to add the php session.

<a href="/index2/<?php echo "$review_item_id"; ?>.php?<?php echo htmlspecialchars(SID); ?>" >link</a>

This is in my .htaccess file:

RewriteRule ^index2/([^/])\.php$ index2.php?item_id=$1 [QSA,L]

This is how my url looks in the browser window:

http://www.domain.com/review/index2/53.php?

This is how I would like it to look while still carrying the PHP session:

http://www.domain.com/review/index2/53.php

What do I need to change to make that happen?

Thanks in advance,

Tim

gergoe

5:53 pm on Mar 4, 2008 (gmt 0)

This looks to be a programming issue, the

<a href="/index2/<?php echo "$review_item_id"; ?>.php?<?php echo htmlspecialchars(SID); ?>" >link</a>

is wrong in two places, first that the htmlspecialchars() [php.net] is not to be used for escaping query string (see urlencode() [php.net] for that purpose), and second, the

SID

parameter is probably wrong, unless you are working with constants. If you do not have the value for that constant/variable/anything set like "name=value", then you need to explain your code better - but not on this forum them :-). There's a forum for PHP related discussions: [webmasterworld.com ].

If you only want to carry on session information handled by PHP, then you don't need to pass values in the query string, in a fact php takes care of that by itself (using cookies). So as your first move, you may want to change the quoted line to:

<a href="/index2/<?php echo $review_item_id; ?>.php" >link</a>

This will solve the problem in your question as well, since the question mark is appended to the url, because you are appending that from your code.

Tim_Mousel

5:49 pm on Mar 5, 2008 (gmt 0)

Hi,

Thanks for your reply.

The way I'm passing the session is exactly the same as the sample shown in the PHP manual (http://us3.php.net/manual/en/ref.session.php). Furthermore, the manual states: "The htmlspecialchars() may be used when printing the SID in order to prevent XSS related attacks."

If I don't pass the SID, php will use cookies but I also want it to work when the user has cookies disabled.

Is there another way I can pass sessions without the ? in my url and assuming the user has their cookies turned off?

Thanks,

Tim

gergoe

6:15 pm on Mar 5, 2008 (gmt 0)

Yes there is, look for the session.use_trans_sid ini setting within the PHP documentation [php.net]. Just for your convenience (and for reconsidering what you are looking after), see the following quote from their documentation:

URL based session management has additional security risks compared to cookie based session management. Users may send a URL that contains an active session ID to their friends by email or users may save a URL that contains a session ID to their bookmarks and access your site with the same session ID always, for example.

And what is not mentioned in this documentation, search engines will be confused by passing extra query parameters with your pages, they might index each page separately. See this recent thread [webmasterworld.com] about (almost) the same topic.

[edited by: jdMorgan at 2:54 pm (utc) on Mar. 6, 2008]
[edit reason] Typos fixed to clarify. [/edit]