I'm using .htaccess mod_rewrite
to convert a nice URL, and using a php variable page
to send the url portion to index.php
where rest of the processing is done.
RewriteRule ^([a-zA-Z0-9-_/]+)$ index.php?page=$1 [QSA,L]
Now, if some malicious user passes the page
variable via query string, it gets accepted. For example, if the user calls http://mysite.com/login?page=registration
instead of loading the login
page, user specified registration
page gets loaded.
Any idea how to fix it within the htaccess
file?