mod_rewrite: A Beginner's Guide to URL Rewriting

Key Takeaways

URL rewriting is crucial for website security, user-friendliness, and search engine optimization. It prevents harmful modifications of URLs, simplifies complex URLs for better user experience, and makes the site more searchable by search engines.
Apache’s mod_rewrite module is a powerful tool for URL rewriting. It needs to be enabled in the Apache configuration file to be used. It’s recommended to familiarize oneself with Apache’s configuration files and to test on a private server before implementing on a production server.
While URL rewriting can significantly improve SEO and user experience, it must be implemented correctly to avoid security risks, duplicate content, and slowed website performance. It’s important to keep rules simple and efficient, test thoroughly before deployment, and always validate and sanitize user input.

This article was written in 2002 and remains one of our most popular posts. If you’re keen to learn more about URLs, you may find this recent article on the “www” prefix, by Craig Buckler, of great interest.

So you’re a web developer who has all the bells and whistles on your site, creates Web-based applications that are both beautiful and work well. But what about these issues?

Applications Must Be Safe

A user must not be able to harm your site in any way by modifying a URL that points to your applications. In order to ensure your site’s safe, check all the GET variables coming from your visitors (I think it’s trivial to mention that the POST variables are a must to examine).

For example, imagine we have a simple script that shows all the products in a category.

Generally, it’s called like this:

myapp.php?target=showproducts&categoryid=123

But what will this application do if ScriptKiddie(tm) comes and types this in his browser:

myapp.php?target=showproducts&categoryid=youarebeinghacked

Well, many of the sites I’ve seen will drop some error message complaining about use of the wrong SQL query, invalid MySQL resource ID, and so on. These sites are not secure. And can anyone guarantee that a site-to-be-finished-yesterday will have all the parameter verifications — even in a programmer group having only two or three people?

Applications Must Be Search-Engine Friendly

It’s not generally known, but many of the search engines will not index your site in depth if it contains links to dynamic pages like the one mentioned above. They simply take the “name” part of the URL (that’s everything before the question mark, which contains the parameters that are needed for most of the scripts to run correctly), and then try to fetch the contents of the page. To make it clear, here are some links from our fictitious page:

myapp.php?target=showproducts&categoryid=123 myapp.php?target=showproducts&categoryid=124 myapp.php?target=showproducts&categoryid=125

Unfortunately, there’s a big chance that some of the search engines will try to download the following page:

myapp.php

In most cases calling a script like this causes an error but if not, I’m sure it will not show the proper contents the link was pointing to. Just try this search at google.com:

“you have an error in your sql syntax” .php -forum

There are both huge bugs and security threats in the scripts listed — again, these scripts are not search-engine friendly.

Applications must be user-friendly

If your application uses links like:

http://www.downloadsite.com?category=34769845698752354

then most of your visitors will find it difficult to get back to their favourite category (eg. Nettools/Messengers) every time they start from the main page of your site. Instead, they’d like to see URLs like this:

http://www.downloadsite.com/Nettools/Messengers

It’s even easier for the user to find (pick) the URL from the browsers’ drop-down list as they type into the Location field (though of course this only works if the user has visited that previously).

And what about you?

Now you have everything you need to answer the following questions:

Is your site really safe enough?
Can you protect your site from hackers?
Are your Websites search-engine compatible?
Are the URLs on your site ‘user friendly’ — are they easy to remember? Would you like them to be?

(everyone who answered ‘yes’ to all five questions: have a beer!)

An elegant solution

Okay, okay, I think you want to know the solution. Well, let’s get started. You’ll need:

everyone’s favourite Apache Webserver installed (v1.2 or later)
optionally, your favourite CGI scripts configured for Apache. Yes, I’ve said optionally, since what we’re going to do will happen right inside Apache and not PHP, or Perl, etc.
since (nearly) everything in Apache is controlled through its configuration files (httpd.conf, .htaccess, etc.), being familiar with these files might help you. You’ll also need to have write access to this file, and access to restart the Apache. I’d strongly recommend you do everything on a private testserver first, rather than on your own, or your company’s, production server!

Most of you will have read and/or heard about mod_rewrite — yes, it’s an Apache module, and it’s even installed by default! Go and check your modules directory (note that under *nix operating systems there’s a chance that your Apache was compiled with missing mod_rewrite, in which case, consult your sysadmin).

We’re going use this tiny module to achieve everything mentioned above. To use this module, first we have to enable it, since it’s initially disabled in the configuration file. Open the httpd.conf file and uncomment the following lines (remove the trailing #s):

#LoadModule rewrite_module modules/mod_rewrite.so #AddModule mod_rewrite.c

The first line tells Apache to load the mod_rewrite module, while the second one enables the use of it. After you restart Apache, mod_rewrite should be enabled, but not yet running.

Go to page: 1 | 2 | 3 | 4

Frequently Asked Questions on URL Rewriting

What is URL rewriting and why is it important?

URL rewriting is a technique used to provide a more user-friendly and search engine friendly URL for web pages. It involves changing complex URLs into simpler, readable ones that are easy to remember and index by search engines. This technique is crucial for improving the SEO of a website, enhancing user experience, and maintaining the cleanliness and organization of your website’s structure.

How does URL rewriting improve SEO?

URL rewriting can significantly improve SEO by making URLs more understandable for search engines and users. A well-structured URL provides both users and search engines with clear information about the page content. This can lead to better indexing and ranking on search engine results pages, driving more organic traffic to your website.

What are the different methods of URL rewriting?

There are several methods of URL rewriting, including using .htaccess files, using server-side scripts, or using URL rewriting tools provided by web servers like Apache’s mod_rewrite or Microsoft’s URL Rewrite Module. Each method has its own advantages and disadvantages, and the choice depends on your specific needs and server environment.

How can I implement URL rewriting using .htaccess?

To implement URL rewriting using .htaccess, you need to create a .htaccess file in your website’s root directory. Then, you can use RewriteRule directives to define URL rewriting rules. For example, to rewrite a URL from “example.com/page.php?id=1” to “example.com/page/1”, you can use the following rule: “RewriteRule ^page/([0-9]+)/?$ page.php?id=$1 [L]”.

What are the common mistakes to avoid in URL rewriting?

Some common mistakes to avoid in URL rewriting include creating overly complex rules, not testing rules thoroughly before deployment, and not considering the impact of URL rewriting on existing URLs and bookmarks. It’s also important to avoid creating duplicate content, which can harm your SEO.

Can URL rewriting be used for redirection?

Yes, URL rewriting can be used for redirection. In fact, it’s a common use case for URL rewriting. You can use URL rewriting to redirect users from old URLs to new ones, or to redirect users based on certain conditions, such as their location or the type of device they’re using.

How can I debug URL rewriting rules?

Debugging URL rewriting rules can be challenging, but there are several tools and techniques that can help. For example, you can use logging features provided by your web server, or use online tools that simulate URL rewriting rules. It’s also helpful to start with simple rules and gradually add complexity, testing each change thoroughly.

What is the difference between URL rewriting and URL redirecting?

While both URL rewriting and URL redirecting involve changing the URL that is displayed in the browser, they are used for different purposes. URL rewriting is used to change the structure of a URL without the user being aware of the change, while URL redirecting is used to send the user to a different URL entirely.

Can URL rewriting affect website performance?

While URL rewriting can improve user experience and SEO, it can also affect website performance if not implemented correctly. Each URL rewriting rule adds some overhead to the server, so it’s important to keep your rules as simple and efficient as possible. Also, using too many rules or overly complex rules can slow down your website.

Is URL rewriting secure?

URL rewriting can be secure if implemented correctly, but it can also introduce security risks if not handled properly. For example, if user input is included in the rewritten URL without proper validation and sanitization, it can lead to vulnerabilities such as cross-site scripting (XSS) or SQL injection. Therefore, it’s important to always validate and sanitize user input, and to use secure coding practices when implementing URL rewriting.