StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
text
Body
copied!<p>Here's the abridged version of my answer, in case anyone a tldr moment:</p> <ol> <li>Create a directory called "users".</li> <li><p>Inside that directory, make an .htaccess file with the following mod_rewrite:</p> <p><code>REQUEST_URIRewriteEngine on</code></p> <p><code>RewriteRule !\.(gif|jpg|png|css)$ /your_web_root/users/index.php'REQUEST_URI</code></p></li> </ol> <p>Now all page requests for any extensions not in the parenthesis made to the users directory will go to index.php</p> <p>index.php takes the URL that the user put in, and grabs the bit at the end. There are tons of ways of doing this, here's a simple on if you know the last part will always be a user name and not, maybe, username/pics/ :</p> <pre><code> $url_request = $_SERVER['REQUEST_URI']; //Returns path requested, like "/users/foo/" $user_request = str_replace("/users/", "", $url_request); //this leaves only 'foo/' $user_name = str_replace("/", "", $user_request); //this leaves 'foo' </code></pre> <p>Now, just do a query to the DB for that username. If it exists, index.php outputs the profile, if it doesn't have the script redirect to: /users/404.php</p> <p>But if the user does exist, all your visitor will see is that they put in</p> <pre><code>www.example.org/users/foo/ </code></pre> <p>and they got to foo's user page.</p> <p>No get variables for a hacker to exploit, and a pretty, easy to put on another blog or business card URL.</p> <hr> <p>Actually, it is possible to get rid of the "?" and have a nice simple www.example.org/users/someusername.</p> <p>I learned about this is on Till Quack's article "<a href="http://www.alistapart.com/articles/succeed/" rel="nofollow noreferrer">How to Succeed with URLs</a>" on <a href="http://www.alistapart.com/" rel="nofollow noreferrer">A List Apart</a>.</p> <p>So you will need to understand Apache, .htaccess, and mod_rewrite, and this method does require you to understand the security risks and account for them. Here's the basic idea:</p> <p>You create a directory called "users" (you don't have to, but this will simplify the whole thing), and in that directory, you put your .htaccess file which contains a mod_rewite that effectively says "all file or directory requests that aren't of a certain kind (images, pdfs) should be sent to this script, which will handle where to send the user." The mod_rewrite from the article looks like this:</p> <pre><code>RewriteEngine on RewriteRule !\.(gif|jpg|png|css)$ /your_web_root/index.php </code></pre> <p>In my example it would be "/your_web_root/users/index.php", the reason why it's more simple is because instead of this script handling ALL requests on your page, it's just dealing with the ones in the user directory.</p> <p>Then, you have a php script that says "okay, what was the URL given?" and it basically grabs the part after the last trailing slash (or two, if there is another one at the very end), and SANITIZES what it finds (that's really crucial) and says "does this username exist in my DB?" If yes, it sends the requester to the user's profile, but with a pretty URL (we'll get to that in a second), if not, it sends them to a "User Not Found" page, or whatever you want.</p> <p>So if it does find your user, the PHP script will output the user profile (Again, make sure to sanitize it. Any jerk user you may have can --if you give them the opportunity--embed malicious code into their own profile, knowing the browsers that views the profile will execute that code). Since the page requested was:</p> <pre><code>www.example.org/users/example_user </code></pre> <p>and since you are using mod_rewrite instead of a redirect, the URL stays the same and the script that the .htaccess file pulls up just dumps the user profile. To the visitor, they just see that they put in the above url, and the user profile showed up.</p> <p>You also want to the PHP script that checks for the user to do a redirect to a "user not found" page, instead of simply having it output a "user_not_found" page. This is so anyone who puts in:</p> <pre><code>www.example.org/users/blabhaboehbohe </code></pre> <p>Will see the URL change to</p> <pre><code>www.example.org/users/notfound/ </code></pre> <p>instead of seeing the URL stay the same. If a hacker sees that the URL doesn't change, they now know that you are using a mod_rewrite and thus there must be a script handling the actual output. If they know that, they can start going crazy looking for every security hole you may have left open.</p> <p>cheers.</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload