I recently had an RFI attack where the query string had a bunch of

Question

Asked: June 10, 20262026-06-10T07:30:29+00:00 2026-06-10T07:30:29+00:00

I recently had an RFI attack where the query string had a bunch of ../../../ and I’d like to modify .htaccess to prevent any ../ in the query string.

I was trying this until I realized the period needed to be escaped:

RewriteCond %{QUERY_STRING} ../
RewriteRule .* - [F]

I then changed it to:

RewriteCond %{QUERY_STRING} \.\./
RewriteRule .* - [F]

But it still forbids any / in the query string.

Also, If I have the rule in {REQUEST_URI} would that make the {QUERY_STRING} redundant?

Thanks.

EDIT:

I have had success getting this to work by:

RewriteCond %{QUERY_STRING} (\.\./)

However, RewriteCond %{REQUEST_URI} \.\./ or RewriteCond %{REQUEST_URI} (\.\./) does not. I’ve also tried /\.\./ & (/\.\./)

You must login to add an answer.

Need An Account,

Editorial Team · Answer 1 · 2026-06-10T07:30:31+00:00

Editorial Team

The %{QUERY_STRING} is everything after the ?, so your rules successfully block a URL like htis:

http://domain.com/blah.php?../../../path

But your URI won’t be checked. You can check against both by amending your rule:

RewriteCond %{QUERY_STRING} \.\./ [OR]
RewriteCond %{REQUEST_URI} \.\./ 
RewriteRule .* - [F]

The Archive Base Latest Questions