User profiles

[liam1412]

Okay

Im pretty new to whole PHP thing and I require a little advice.

I am creating a user system for my site. I want people to have there own profile and be able to browse others profiles( In a kind of myspace style - a list of 20 profiles then clik through to actually view the profile. SO i go about creating my browse page using the querey

[code]$browse_profiles = mysql_fetch_array($sql_browse_profile)[/code]

I can then echo out the pats of the array that I want to use in the display.

With me so far???

Now, at some point the person browsing is going to think!  I want to view that persons profile. And click on the image to get taken to that profile

My Question at long Last.

So to collect the array i would use
[code]$sql_browse_profile = mysql_query("SELECT * FROM users WHERE userid = 1)[/code]

How do I dynamically make the "WHERE userid = 1" be the userid of the person that the user has clicked on.

I have tried to explain the best I can but if you don't understand just let me know

Thanks in advance.

[bqallover]

When you output your overall list of profiles, you use the $browse_profiles['userid'] for each user to create a link with a querystring, e.g. "profile.php?userid=$browse_profiles[userid]" on, for example, their username.

Then in profile.php, which might output a user's profile, you use $_GET['userid'], which pass to your query.  You MUST validate this variable first, e.g.

[code]
$uid = $_GET['userid'];
if( !is_numeric( $uid ) )
{
  die( 'Invalid data' );
}
$sql_browse_profile = mysql_query("SELECT * FROM users WHERE userid = $uid");
[/code]

Hope that helps!

[liam1412]

Sorry if I sound really dumb here but I thought $_GET only worked when pressing a submit button from a form.  Like I said I really am new and probably biting off my than I can chew with my first project. But I like to throw myself in at the deep end. How does the info get stored into $_GET['userid'] without a submit button.

Thanks

[bqallover]

Don't worry about it - we all start somewhere!! :)

The superglobal $_GET is filled by examining the requested URL as it is sent to the server.  You specify variables by adding a 'querystring' to the end of the URL, of the form '?name=value;name=value;...'

So for example, you could have http://www.domain.com/profile.php?id=22;display=full;greet=true

When profile.php is called, it has access to these variables via $_GET['id'], $_GET['display'] and $_GET['greet'], which will be equal to '22', 'full', and 'true' respectively.

Be aware though that because these variables are passed as plaintext in the URL, it is ESSENTIAL that you validate them somehow, as it is easy for a user to craft a url that contains malicious values that could in turn exploit a poorly secured script - and cause no end of trouble.

Regarding form submission, you can use either GET or POST.  The POST data isn't passed in view in the URL, but behind the scenes.

Therefore, if you want to generate URLs that pass variables, such as a user id, it's easier to use a querystring and access them with $_GET.  For example, look at the URL in the address bar right now and you'll likely see a bunch of $_GET variables, such as 'action', 'topic', etc.

edit: erm, no you won't :), But you will on a reply page.  Also you can see such querystrings all over the place.  Do a Google search, then check the address bar.

[liam1412]

Thanks thats a great help. Just one last thing tho. Will this still work with register_globals turned off or is that completely unrelated.  I was advised to at all costs keep this turned off till I was 100% up to speed with PHP and all its security issues.

[bqallover]

You've had good advice. :)

To extend the above example, when register_globals is on, global variables called $id, $display and $greet would automatically be initialized and available in the profile.php script.  While this may not seem to be such a problem, consider if your script used a variable called $is_admin, which is not initialized to 'false' in the script (a known coding bad-practice ;) ).  Someone could send the url 'profile.php?is_admin=true', exploiting the script in quite a bad way.

So it's generally best to keep it off.  See [url=http://en.wikibooks.org/wiki/Programming:PHP:Register_Globals]http://en.wikibooks.org/wiki/Programming:PHP:Register_Globals[/url] for a discussion about register_globals and their security implications.

[liam1412]

I just realised and im sorry to keep bugging you about this one.

Obviously im echoing out more than 1 array from the database using a while loop for each user. So does the variablenot just end up been set as the last query that executes in the while loop. Hence regardless of whcih person they click on it will always direct to the last recored that was echoed out. Deos that make sense.  Im not very good at wording these questions.??

[liam1412]

I just realised the answer to my own question. Coz im echoing out the userid=$sql_browse_profile['userid'] into a link the link will actually read userid=1.

What a dumbass I feel. 

Oh well. Thanks for the help with tis one anyway.