问题
From practical experience how secure is mod_rewrite on .htaccess?
回答1:
There are so called "The 11 Phases of a Request" illustrated here.
Mod_rewrite hooks it self into URL translation level. You have full control over the rules. Which means you have to take care, that there is no injection. Injections can only be done, if you route your rule dynamically to folders depended on your request. This rules are IMHO easy to detect. The main purpose of mod_rewrite is to rewrite (hooked into the URI translation) your URL to a new destination. After the rewrite, all the security features of Apache will be applied. With mod_rewrite it's also possible to do delegate to a proxy. This let some minor possibilities to force a false behaviour. If this is possible, it's all due a misconfiguration of your rules. IMHO is secure, because it's hooked into a phase of a request, where not a lot of misconfigurations can happen. Mod_rewrite is widely in major web applications like Wordpress, Drupal, Joomla. Mostly to generate SEO-friendly URL's.
来源:https://stackoverflow.com/questions/5000254/how-secure-is-mod-rewrite-on-htaccess