Mask All URLs on Your Server and Route Them to Dynamic PHP Views

In modern PHP applications, clean URLs are no longer a luxury — they are a core part of user experience, SEO ranking, and business security. Whether you're building an e-commerce website, SaaS product, dashboard, or custom CMS, one of the biggest challenges is:

How do I make every URL on the server resolve to my main PHP router and load the correct page dynamically?

In this lesson, we walk through a real-life example taken from production systems used by online stores and custom business solutions. You will learn step-by-step how to:

• Mask all URLs using .htaccess
• Create a fully dynamic PHP router
• Protect your system using filtering and sanitization
• Load pages from clean URLs like /login instead of login.php
• Apply this technique to any project — e-commerce, dashboards, SaaS, or CMS

This is one of the most important lessons in the course because it solves problems that millions of developers face every day.

1. Why We Need to Mask All URLs?

Imagine your application has many pages:

• login.php
• register.php
• products.php
• category.php
• dashboard.php

Typing URLs like this is not professional:

https://example.com/login.php
https://example.com/products.php

Modern apps need:

https://example.com/login
https://example.com/register
https://example.com/products

To do that, we use masked URLs + a dynamic PHP view loader. This technique is similar to frameworks like Laravel, WordPress, and CodeIgniter — but simpler.

2. .htaccess: Rewrite Every URL to index.php

The first step is writing a clean and secure .htaccess rewrite rule that captures every request and forwards it to index.php.

<ifmodule mod_rewrite.c>
  RewriteEngine On

  # Force redirect HTTP → HTTPS (optional)
  # RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-l

  RewriteRule ^(.*)$ index.php?index=$1 [QSA,L]

  # Basic protection against malicious requests
  RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR]
  RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
  RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
</ifmodule>

This ensures that:

• All URLs go to index.php
• Unless the URL points to a real file
• Or a real folder
• Or an image, CSS, JS, PDF, etc.

This is exactly how large platforms like WordPress handle URLs — and now your application can do the same without using a framework.

3. Building a Secure URL Filter Class

Routing URLs is dangerous if not filtered. Attackers can inject scripts or attempt file inclusion attacks.

Here is a safe reusable filter class:

class Filter
{
  public static function String($string, $html = false) {
    return $html 
      ? filter_var($string, FILTER_SANITIZE_FULL_SPECIAL_CHARS)
      : filter_var($string, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW);
  }

  public static function Email($email) {
    return filter_var($email, FILTER_SANITIZE_EMAIL);
  }

  public static function URL($url) {
    return filter_var($url, FILTER_SANITIZE_URL);
  }

  public static function Int($integer) {
    return (int) filter_var($integer, FILTER_SANITIZE_NUMBER_INT);
  }

  public static function url_segm($segm, $e) {
    if(isset($_GET[$segm])):
      $cl_url = preg_replace('/[^A-Za-z0-9\-\_\/]/', ' ', $_GET[$segm]);
      $cl_url = preg_replace('/\s+/', ' ', $cl_url);
      $segm_array = explode('/', $cl_url);
      return $segm_array[$e] ?? false;
    endif;
  }
}

This prevents:

• SQL injection
• URL injection
• File inclusion attacks
• XSS attempts

4. The Dynamic Router: Loading Views Based on the URL

Now we connect everything inside index.php.

include_once('inc/header.php');

$pages = [
  'register' => 'create_new_account',
  'login'    => 'login_user_area'
];

$page = 'products.php';

if(isset($_GET['index'])):
  $index = Filter::String(Filter::url_segm('index', 0));
  if(array_key_exists($index, $pages)):
    $page = $pages[$index] . '.php';
  endif;
endif;

include_once("indexes/{$page}");
include_once('inc/footer.php');

This means:

• /login → loads indexes/login_user_area.php
• /register → loads indexes/create_new_account.php
• /anything-else → loads products.php

You can now organize your project exactly like professional enterprise systems.

5. Project Structure (Best Practice)

/inc
   header.php
   footer.php
   filters.php

/indexes
   login_user_area.php
   create_new_account.php
   products.php

assets/css/style.css
.htaccess
index.php

This structure is scalable, clean, and easy to maintain as your application grows into hundreds of pages.

6. Real-Life Use Cases

This URL masking strategy is used by businesses of all sizes:

• E-commerce: category pages, product URLs, checkout paths
• Learning platforms: course URLs, lessons, user dashboards
• CRM & ERP systems: clients, projects, invoices
• Custom PHP dashboards
• Membership sites
• SaaS applications

By masking URLs and using a dynamic routing mechanism, your application becomes:

• Simpler
• More secure
• SEO-friendly
• More professional

8. Summary

You’ve just learned how to transform any PHP project into a clean, scalable, secure system using URL masking and dynamic routing. This technique is used across millions of real-world websites and applications — and now it’s part of your PHP skillset.

Next Step: Continue to the next lesson in your course “Level 1 PHP PDO AJAX Basics With Store Functional Examples”.