Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to create user profiles with PHP and MySQL

I need some help on creating a user profile system. I want it to be like Facebook or Myspace where it has only the username after the address, no question marks or anything, for example, www.mysite.com/username. I have all the register, logging scripts, etc. all done, but how do I go to profiles using the URL example above, "/username"?

like image 413
Spyderfusion02 Avatar asked Jul 25 '09 00:07

Spyderfusion02


People also ask

How can I get profile in PHP?

The register. php page asks for the desired username, email, and password of the user, and then sends the entered data into the database, once the submit button is clicked. After this, the user is redirected to the index. php page where a welcome message and the username of the logged-in user is displayed.


2 Answers

You would need to create a mod rewrite that took the first directory and passed it as a $_GET parameter.

Try this:

RewriteEngine On
RewriteBase /

RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^(.*)/$ index.php?user=$1

That should rewrite anything after '/' as index.php?user=directory

like image 100
3 revs Avatar answered Oct 15 '22 02:10

3 revs


Here's the abridged version of my answer, in case anyone a tldr moment:

  1. Create a directory called "users".
  2. Inside that directory, make an .htaccess file with the following mod_rewrite:

    REQUEST_URIRewriteEngine on

    RewriteRule !\.(gif|jpg|png|css)$ /your_web_root/users/index.php'REQUEST_URI

Now all page requests for any extensions not in the parenthesis made to the users directory will go to index.php

index.php takes the URL that the user put in, and grabs the bit at the end. There are tons of ways of doing this, here's a simple on if you know the last part will always be a user name and not, maybe, username/pics/ :

 $url_request = $_SERVER['REQUEST_URI']; //Returns path requested, like "/users/foo/"
 $user_request = str_replace("/users/", "", $url_request); //this leaves only 'foo/'
 $user_name = str_replace("/", "", $user_request); //this leaves 'foo'

Now, just do a query to the DB for that username. If it exists, index.php outputs the profile, if it doesn't have the script redirect to: /users/404.php

But if the user does exist, all your visitor will see is that they put in

www.example.org/users/foo/

and they got to foo's user page.

No get variables for a hacker to exploit, and a pretty, easy to put on another blog or business card URL.


Actually, it is possible to get rid of the "?" and have a nice simple www.example.org/users/someusername.

I learned about this is on Till Quack's article "How to Succeed with URLs" on A List Apart.

So you will need to understand Apache, .htaccess, and mod_rewrite, and this method does require you to understand the security risks and account for them. Here's the basic idea:

You create a directory called "users" (you don't have to, but this will simplify the whole thing), and in that directory, you put your .htaccess file which contains a mod_rewite that effectively says "all file or directory requests that aren't of a certain kind (images, pdfs) should be sent to this script, which will handle where to send the user." The mod_rewrite from the article looks like this:

RewriteEngine on
RewriteRule !\.(gif|jpg|png|css)$ /your_web_root/index.php

In my example it would be "/your_web_root/users/index.php", the reason why it's more simple is because instead of this script handling ALL requests on your page, it's just dealing with the ones in the user directory.

Then, you have a php script that says "okay, what was the URL given?" and it basically grabs the part after the last trailing slash (or two, if there is another one at the very end), and SANITIZES what it finds (that's really crucial) and says "does this username exist in my DB?" If yes, it sends the requester to the user's profile, but with a pretty URL (we'll get to that in a second), if not, it sends them to a "User Not Found" page, or whatever you want.

So if it does find your user, the PHP script will output the user profile (Again, make sure to sanitize it. Any jerk user you may have can --if you give them the opportunity--embed malicious code into their own profile, knowing the browsers that views the profile will execute that code). Since the page requested was:

www.example.org/users/example_user

and since you are using mod_rewrite instead of a redirect, the URL stays the same and the script that the .htaccess file pulls up just dumps the user profile. To the visitor, they just see that they put in the above url, and the user profile showed up.

You also want to the PHP script that checks for the user to do a redirect to a "user not found" page, instead of simply having it output a "user_not_found" page. This is so anyone who puts in:

www.example.org/users/blabhaboehbohe

Will see the URL change to

www.example.org/users/notfound/

instead of seeing the URL stay the same. If a hacker sees that the URL doesn't change, they now know that you are using a mod_rewrite and thus there must be a script handling the actual output. If they know that, they can start going crazy looking for every security hole you may have left open.

cheers.

like image 29
Anthony Avatar answered Oct 15 '22 00:10

Anthony