Mobile app version of vmapp.org
Login or Join
Nickens628

: Which component handle php's GET parameters in a URL In a webserver, which component handles the translation of URL parameters to the $_GET global variable? Is that a module in PHP engine, or

@Nickens628

Posted in: #Php #UrlParameters #UrlRewriting #Webserver

In a webserver, which component handles the translation of URL parameters to the $_GET global variable?

Is that a module in PHP engine, or a module of the web server (Apache, Nginx)?

I'm asking because since I'm not using GET (only POST/ meaningfull links where parameters are already part of the link), I was searching for a way to disable $_GET in order to avoid someone use it accidentally.

The final goal is not to block the HTTP's GET method, but just to disable/remove the logic that read URL's parameters and translate these into PHP's $_GET.

If possible I want to remove physically (erasing the module file) modules that handle this. If not I want to set that option both in PHP and Webserver (in case there's some GET's logic in both packages).

10.02% popularity Vote Up Vote Down


Login to follow query

More posts by @Nickens628

2 Comments

Sorted by latest first Latest Oldest Best

 

@Ogunnowo487

The $_GET PHP superglobal is set by PHP when it parses the URL's query string (request headers) made available through Apache. As far as I know you can not prevent PHP from doing this.

However, you can reset this variable at the top of your script. eg. $_GET = Array();

And neither can you prevent Apache from parsing the URL / query string. This is intrinsic to any webserver. Apache only parses out the query string as a whole, it does not separate it into URL parameters - that is what the server-side language parser does (PHP in this case).

The best you can do is either block requests that contain a query string or redirect to the canonical URL (since the user can always append a query string to the request).

For example, to block requests (ie. send a 403 Forbidden) that contain a query string, in your server config using mod_rewrite on Apache:

RewriteEngine On
RewriteCond %{QUERY_STRING} .
RewriteRule ^ - [F]


Or, to redirect to the same URL, less the query string

RewriteEngine On
RewriteCond %{QUERY_STRING} .
RewriteRule ^ %{REQUEST_URI}? [R=301,L]


On Apache 2.4 you can use the QSD param to Discard the Query String instead of appending a ? to the end of the RewriteRule substitution. ie. RewriteRule ^ %{REQUEST_URI} [QSD,R=301,L].

By removing the query string from the request then the PHP $_GET superglobal will naturally be empty.

10% popularity Vote Up Vote Down


 

@Cofer257

GET/POST are HTTP headers that either request/send data. These are handled by the server initially and are part of the standard HTTP request methods.

To do this in Apache, at the top of your domain config:

<Limit GET>
deny from all
</Limit>


You can test which methods are available by sending an OPTIONS request to the server. This should return all the possible methods accepted on the server end.

Edit: New answer since the question has been changed.

The PHP module in Apache can be disabled but then you can't parse PHP files. What you're looking to do is prevent the use of Query strings. The answer here is to rewrite them before they're passed on when the PHP file is parsed and run. You'll want to configure Apache to drop query strings with a rewrite:

RewriteEngine On
RewriteCond %{QUERY_STRING} *.
RewriteRule (.*) ? [R=permanent]

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme