How to create a Profile URL for a user using $_GET['id']

Question

Hello,

Can someone advise me if I am performing the below steps correctly:

When a user wants to register on the website, register.php handles his/her request. Below is some of the code from register.php:

$sql="INSERT INTO Members (fldFullName, fldEmail, Password, Gender, DOB)
VALUES
('$fname','$email','$pass', '$gender', '$date')";

Particularly when I wrote the above code, I was somewhat new to PHP/MySQL and still am. Therefore, I made all of the fields above manually in the table via phpmyadmin. Furthermore, I also added the ID field manually via phpmyadmin, as the first field with auto increment and primary key of course. Why I did it manually, I can't remember the reason of. But I'm pretty sure that this may be the reason why I'm having problems.

What I'm trying to do is, when a user registers on the website, I want a profile URL to be created for him/her. For example, the field in the table could be named ProfileURL, whereas the actual value could be http://www.domain.com/profile.php?id=1, where the id is inherited from the actual ID in the table. How can I do this with my above code? Did I do something wrong when I decided to save all the fields manually via phpmyadmin? Note: I've also been creating tables, databases, fields manually via phpmyadmin. However, its values are INSERTed automatically of course. Am I even on the right track?

Thank you.

Answer 1

In profile.php, check for $_GET['id'], then if it exists, use a SELECT query for the same ID in the database. It would look something like this.

<?php
if (isset($_GET['id']))
{
    $id = (int) $_GET['id'];
    $sql = 'SELECT * FROM Members WHERE ID = ' . $id;

    // Then the rest of the code to check the results goes here
}
?>

A user with an ID of 1 would be profile.php?id=1

Answer 2

You are doing right. Now write SQL like this:

$sql = sprintf("SELECT * FROM Members WHERE ID=%d", mysql_real_escape_string($_GET['id']));

And you'll be able to get userdata by $_GET['id']. Remember to use mysql_real_escape_string to protect your queries against SQL injection. sprintf is also a good thing to substitute right data types like numbers or strings.

Answer 3

You don't heed to save profile url.
You have to build it dynamically.
Because most of the url remains the samy, only id is changing.
So, get id from the database and add it to the url.

Answer 4

As stated above, you don't need to save a profile URL to the database. I'm guessing all profile URLs are going to follow some standard form (i.e. www.example.com/profile.php?id=1)?

Well, if you saved all of those in your database and then you decided you were going to change the format to something like www.example.com/profile/1 you're going to have a lot of out-of-date data in your database. You're going to have to go through each record and update it, and that could be dangerous on a database table with say, millions of rows.

Therefore, the solution is to have a script that takes a parameter. Say profile.php. As above, you would check for the profile using the data in the $_GET array:

<?php
if (isset($_GET['id'])) {
    $id  = mysql_real_escape_string($_GET['id']);
    $sql = "SELECT * FROM members WHERE id = '$id' LIMIT 1";
    $res = mysql_query($sql);
    if (mysql_num_rows() > 0) {
        $member = mysql_fetch_object($res);
        // handle displaying of member's profile here
    }
    else {
        // member does not exist with ID
    }
}
?>

That way, if you decide to change the script name or use search engine-friendly URLs, you don't need to change your database structure.