How to create user profiles with PHP and MySQL
Asked Answered
A

3

9

I need some help on creating a user profile system. I want it to be like Facebook or Myspace where it has only the username after the address, no question marks or anything, for example, www.mysite.com/username. I have all the register, logging scripts, etc. all done, but how do I go to profiles using the URL example above, "/username"?

Aglow answered 25/7, 2009 at 0:22 Comment(0)
C
7

You would need to create a mod rewrite that took the first directory and passed it as a $_GET parameter.

Try this:

RewriteEngine On
RewriteBase /

RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^(.*)/$ index.php?user=$1

That should rewrite anything after '/' as index.php?user=directory

Cyrillus answered 25/7, 2009 at 0:22 Comment(11)
Actually .. fairly simple. Just put that into a .htaccess in the root directory.Bartholomew
From everywhere I can find on Google, that should be correct.Bartholomew
Just to be safe, I added the conditions to make sure that if it a file exists, it will be redirected too.Bartholomew
Thanks I'll try it out, but I don't really know where to put it? I'm using MAMP server. Is there a common .htaccess file to put it in?Aglow
Setting this to community wiki so someone with better knowledge of mod_rewrite can rewrite this.Bartholomew
Put it in a file called .htaccess by your index.phpBartholomew
Is there a way to get rid of the "?".Aglow
You mean on the resulting string? no. That is part of PHP and $_GET parameters.Bartholomew
You have the right method, Chacha, but take a look at my answer regarding the GET parameter. If you use mod_rewrite to go to the same script every time,there wouldn't be a GET variable, the script can just parse the URL to find the username.Demetrius
And using the mod_rewrite to go to a script that manages the output is safer, too, even though it requires more work to make it safe, because now you are not revealing to users what the script is doing (or that there is a script, for that matter). Whenever you have GET variables, you are giving malicious users a hint on what the script is doing.Demetrius
@Spyderfusion: In case my talk of security is a bit intimidating, feel free to ask any questions as comments and I can break it down for you. But you really need to be careful. If your profile creating page as a "textarea" box, and you aren't sanitizing that input, I could put in a <script>do something evil</script> in the middle of the "about me" part and the PHP will echo it out to a visitor and the visitor's browser WILL try to run that evil script.Demetrius
D
4

Here's the abridged version of my answer, in case anyone a tldr moment:

  1. Create a directory called "users".
  2. Inside that directory, make an .htaccess file with the following mod_rewrite:

    REQUEST_URIRewriteEngine on

    RewriteRule !\.(gif|jpg|png|css)$ /your_web_root/users/index.php'REQUEST_URI

Now all page requests for any extensions not in the parenthesis made to the users directory will go to index.php

index.php takes the URL that the user put in, and grabs the bit at the end. There are tons of ways of doing this, here's a simple on if you know the last part will always be a user name and not, maybe, username/pics/ :

 $url_request = $_SERVER['REQUEST_URI']; //Returns path requested, like "/users/foo/"
 $user_request = str_replace("/users/", "", $url_request); //this leaves only 'foo/'
 $user_name = str_replace("/", "", $user_request); //this leaves 'foo'

Now, just do a query to the DB for that username. If it exists, index.php outputs the profile, if it doesn't have the script redirect to: /users/404.php

But if the user does exist, all your visitor will see is that they put in

www.example.org/users/foo/

and they got to foo's user page.

No get variables for a hacker to exploit, and a pretty, easy to put on another blog or business card URL.


Actually, it is possible to get rid of the "?" and have a nice simple www.example.org/users/someusername.

I learned about this is on Till Quack's article "How to Succeed with URLs" on A List Apart.

So you will need to understand Apache, .htaccess, and mod_rewrite, and this method does require you to understand the security risks and account for them. Here's the basic idea:

You create a directory called "users" (you don't have to, but this will simplify the whole thing), and in that directory, you put your .htaccess file which contains a mod_rewite that effectively says "all file or directory requests that aren't of a certain kind (images, pdfs) should be sent to this script, which will handle where to send the user." The mod_rewrite from the article looks like this:

RewriteEngine on
RewriteRule !\.(gif|jpg|png|css)$ /your_web_root/index.php

In my example it would be "/your_web_root/users/index.php", the reason why it's more simple is because instead of this script handling ALL requests on your page, it's just dealing with the ones in the user directory.

Then, you have a php script that says "okay, what was the URL given?" and it basically grabs the part after the last trailing slash (or two, if there is another one at the very end), and SANITIZES what it finds (that's really crucial) and says "does this username exist in my DB?" If yes, it sends the requester to the user's profile, but with a pretty URL (we'll get to that in a second), if not, it sends them to a "User Not Found" page, or whatever you want.

So if it does find your user, the PHP script will output the user profile (Again, make sure to sanitize it. Any jerk user you may have can --if you give them the opportunity--embed malicious code into their own profile, knowing the browsers that views the profile will execute that code). Since the page requested was:

www.example.org/users/example_user

and since you are using mod_rewrite instead of a redirect, the URL stays the same and the script that the .htaccess file pulls up just dumps the user profile. To the visitor, they just see that they put in the above url, and the user profile showed up.

You also want to the PHP script that checks for the user to do a redirect to a "user not found" page, instead of simply having it output a "user_not_found" page. This is so anyone who puts in:

www.example.org/users/blabhaboehbohe

Will see the URL change to

www.example.org/users/notfound/

instead of seeing the URL stay the same. If a hacker sees that the URL doesn't change, they now know that you are using a mod_rewrite and thus there must be a script handling the actual output. If they know that, they can start going crazy looking for every security hole you may have left open.

cheers.

Demetrius answered 25/7, 2009 at 2:39 Comment(0)
U
2

Take a look at the rewrite engine. Some frameworks also have classes to do this job like Zend Framework has Zend_Router which you can use. You can use this one by it self, other frameworks have them as well, check the docs for your preferred flavor.

Unsettle answered 25/7, 2009 at 0:42 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.