I need some help on creating a user profile system. I want it to be like Facebook or Myspace where it has only the username after the address, no question marks or anything, for example, www.mysite.com/username
. I have all the register, logging scripts, etc. all done, but how do I go to profiles using the URL example above, "/username"?
You would need to create a mod rewrite that took the first directory and passed it as a $_GET parameter.
Try this:
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^(.*)/$ index.php?user=$1
That should rewrite anything after '/' as index.php?user=directory
Here's the abridged version of my answer, in case anyone a tldr moment:
- Create a directory called "users".
Inside that directory, make an .htaccess file with the following mod_rewrite:
REQUEST_URIRewriteEngine on
RewriteRule !\.(gif|jpg|png|css)$ /your_web_root/users/index.php'REQUEST_URI
Now all page requests for any extensions not in the parenthesis made to the users directory will go to index.php
index.php takes the URL that the user put in, and grabs the bit at the end. There are tons of ways of doing this, here's a simple on if you know the last part will always be a user name and not, maybe, username/pics/ :
$url_request = $_SERVER['REQUEST_URI']; //Returns path requested, like "/users/foo/"
$user_request = str_replace("/users/", "", $url_request); //this leaves only 'foo/'
$user_name = str_replace("/", "", $user_request); //this leaves 'foo'
Now, just do a query to the DB for that username. If it exists, index.php outputs the profile, if it doesn't have the script redirect to: /users/404.php
But if the user does exist, all your visitor will see is that they put in
www.example.org/users/foo/
and they got to foo's user page.
No get variables for a hacker to exploit, and a pretty, easy to put on another blog or business card URL.
Actually, it is possible to get rid of the "?" and have a nice simple www.example.org/users/someusername.
I learned about this is on Till Quack's article "How to Succeed with URLs" on A List Apart.
So you will need to understand Apache, .htaccess, and mod_rewrite, and this method does require you to understand the security risks and account for them. Here's the basic idea:
You create a directory called "users" (you don't have to, but this will simplify the whole thing), and in that directory, you put your .htaccess file which contains a mod_rewite that effectively says "all file or directory requests that aren't of a certain kind (images, pdfs) should be sent to this script, which will handle where to send the user." The mod_rewrite from the article looks like this:
RewriteEngine on
RewriteRule !\.(gif|jpg|png|css)$ /your_web_root/index.php
In my example it would be "/your_web_root/users/index.php", the reason why it's more simple is because instead of this script handling ALL requests on your page, it's just dealing with the ones in the user directory.
Then, you have a php script that says "okay, what was the URL given?" and it basically grabs the part after the last trailing slash (or two, if there is another one at the very end), and SANITIZES what it finds (that's really crucial) and says "does this username exist in my DB?" If yes, it sends the requester to the user's profile, but with a pretty URL (we'll get to that in a second), if not, it sends them to a "User Not Found" page, or whatever you want.
So if it does find your user, the PHP script will output the user profile (Again, make sure to sanitize it. Any jerk user you may have can --if you give them the opportunity--embed malicious code into their own profile, knowing the browsers that views the profile will execute that code). Since the page requested was:
www.example.org/users/example_user
and since you are using mod_rewrite instead of a redirect, the URL stays the same and the script that the .htaccess file pulls up just dumps the user profile. To the visitor, they just see that they put in the above url, and the user profile showed up.
You also want to the PHP script that checks for the user to do a redirect to a "user not found" page, instead of simply having it output a "user_not_found" page. This is so anyone who puts in:
www.example.org/users/blabhaboehbohe
Will see the URL change to
www.example.org/users/notfound/
instead of seeing the URL stay the same. If a hacker sees that the URL doesn't change, they now know that you are using a mod_rewrite and thus there must be a script handling the actual output. If they know that, they can start going crazy looking for every security hole you may have left open.
cheers.
Take a look at the rewrite engine. Some frameworks also have classes to do this job like Zend Framework has Zend_Router which you can use. You can use this one by it self, other frameworks have them as well, check the docs for your preferred flavor.
© 2022 - 2024 — McMap. All rights reserved.