RewriteLog /var/log/httpd/rewrite.log
RewriteLogLevel 9

“./configure” \
“–enable-auth-digest” \
“–enable-deflate” \
“–enable-rewrite” \
“–enable-so” \
“–enable-vhost-alias” \
“–disable-userdir” \
“–enable-mime-magic” \

configure: error: mod_deflate has been requested but can not be built due to prerequisite failures

I fixed this by installing zlib from source.

/login/15/return_page%2F50

it won’t work. FYI, the last part is a return page. In this instance, lets just pretend it’s a return page that’s supposed to get hit after a successful login.

Using Apache 2.2.3.

configure: error: Cannot use an external APR-util with the bundled APR

After searching around for a while, I found a tip here to include this in my configure:

--with-included-apr

Built on MacOS X 10.4.

1. Use HTML_Safe (or a similar javascript stripping library) to check for and remove javascript when you’re accepting data that will be output to a page.
2. Check every get and post variable for validity.

Every web site has url like “dosomething.php?id=3″. Make sure that id you’re accepting is actually a number (or whatever type you’re allowing).

3. Escape strings before sending to the database. Not doing so leaves you wide open to SQL injection.
4. Make sure display_errors, magic_quotes, and register globals are all off. Log the errors to the error_log instead.
5. If you have root access, don’t fall to far behind in stable releases. Bugs are fixed all the time.
6. Do not blindly send mail to the address entered in a form. It’s easy for someone to perform header injection and spam thousands of people before you’ll even notice. Do not under any circumstances use Jack’s formmail. Your IP will get banned by major mail servers.
7. Use a firewall/iptables. Turn off all ports you aren’t using.
8. Do not write any sensitive data to a cookie. I thought this was obvious but I’ve seen it enough where I throw it in the list.
9. Don’t put senstive directories in robots.txt as your only security. Password protect your admin areas.
10. Back up your stuff offsite. Have the offsite computer connect to the server to download the backup, not the other way around.

On the MySQL end, I use show processlist to try to figure out what’s causing the issue. However, sometimes there’s just 150 queries in there doing nothing (occasionally just selects). I’m guessing it’s either a locking issue or perhaps it’s an issue with to much disk access causing the problem.

On the web server end, it’s a little more difficult. Ideally I’d like to know what url was originally called to create the hung apache process – does anyone know how to figure this out? Running on Fedora Core release 5 (Bordeaux).

A good alternative to mod_rewrite is to use Multiviews. Multiviews are specified in a per-directory basis, and have to be set explicitly.

<Directory /path/to/your/stuff>
Options  Multiviews
</Directory>

You can then use this function to make it useful:

function assign_get_vars()
{
	$args = func_get_args();
	$path_info = $_SERVER['PATH_INFO'];
	$p = explode("/", substr($path_info,1) );

	// assign the vars
	$total = count($args);
	for($i=0; $i < $total; $i++)
	{
		$name = $args[$i];
		$_GET[$name] = $p[$i];
		$_REQUEST[$name] = $p[$i];
	}
}

Example:
Say you have this page: /forums/view.php
You can call it like this: /forums/view/444/2

In your PHP script, add this to the top:

assign('thread','page');

You can now refer to $_GET['thread'] and $_GET['page'] as if they were set by the server.

A benefit of Multiviews is that it lets you drop the file extension.

Hope this is of some use to someone. Comments are welcome and encouraged.