用户配置文件的 URL 重写 [英] URL Rewriting for user profiles

问题描述

我正在使用散列值来防止垃圾邮件和通过更改 ID 号直接访问用户配置文件.这是一个唯一的整数值，用户在注册时给定一次，存储在数据库中，永远不会改变.

I am using a hash value to prevent spam and direct access to user profiles with changing ID numbers. This is a unique integer value given user once when they registered, stored in database and never change.

个人资料链接如下所示:

Profile links look like this:

example.com/profile.php?id=xxx&hash=xyz

我想用用户昵称重写 URL，如下所示:

I want to rewrite URL with user nicknames, like this:

example.com/nickname

但是在 URL 中使用哈希值时我该怎么做?我找不到这方面的样本！

But how can I do it when using a hash value in URL? I couldn't find a sample for this!

推荐答案

如果我理解你:

您想向最终用户提供几个网址:

You want to provide to the end user several url:

• /profile.php?id=&hash=
• /<昵称>

它们都可用，但第 2 个将是首选方式.

They would all be available but the 2nd one would be the preffered way.

/ 类型的 url 有问题，如果昵称是foo/bar"或index.php"或admin"等，问题是一些昵称可能会覆盖一些其他有效的 url.因此，至少更好的虚 url 格式是:

there is a problem with the /<nickname> type of url, if a nickname is "foo/bar" or "index.php" or "admin", etc the problem is that some nicknames may cover some other valid urls. So at least a better format for vanity url would be:

• /nick/ 或 /user/

如果您不希望这样，您必须确保昵称永远不会与任何其他资产的任何有效路径匹配.

If you do not want that you'll have to ensure that nicknames will never match any valid path to any other asset.

那么您肯定必须处理昵称、空格、/"、中文 utf16 字符、Windows 特定编码等中的特殊字符.这通常将应用程序服务器作为处理昵称和查找昵称的最佳工具.要显示的真实用户页面.

Then you'll quite certainly have to handle special characters in nicknames, spaces, "/", chineses utf16 chars, windows specific encoding, etc. This usually targets the application server as the best tool for handling the nickname and finding the real user page to show.

现在让我们收回第一个 url 格式:/profile.php?id=<id>&hash=<hash>，您使用哈希来避免直接访问用户配置文件通过更改 id.你说每个用户都有一个昵称.我会说为什么不简单地仅使用虚荣格式并禁止使用 id 直接访问 profile.php 脚本?您可以在内部处理所有用户配置文件的访问权限，并且永远不要提供此类条目...无论如何，假设您仍然希望能够通过 id 访问用户配置文件.

Now let's take back the first url format : /profile.php?id=<id>&hash=<hash>, you use the hash to avoid direct access to user profile by altering the id. And you said every user have a nickname. I would say why not simply only using the vanity format and forbid direct access to the profile.php script with an id? You could hanlde all user profile acess internally and never provide such entry... anyway, let's say you still want to be able to access a user profile by id.

此访问 URL 由您的应用程序生成.您的应用程序在提供链接时在 url 后添加哈希(也许哈希是基于昵称的加盐哈希?).因此，您的应用程序可以为每个用户存储用户哈希.然后在 profile.php 中，您始终检查哈希值是否适合此 ID.所有这些都在您的应用程序中管理，而不是在 http 服务器 (apache) 中.以我的拙见，http 服务器及其重写工具不是进行匹配的正确工具，它无法轻松匹配您的传出链接并更改它们，它无法轻松捕获您正在进行的链接并将其转换为正确的 profile.php+id+hash 形式.

This access url is generated by your application. Your application is adding the hash after the url when providing the link, (maybe the hash is a salted hash based on the nickname?). So your application can store for each user the user hash. And then in profile.php you always check that the hash is the right one for this id. All this is managed in your application, not in the http server (apache). The http server and his rewriting tools is, in my humble opinion, not the right tool to make the match, it cannot easily match your outgoing links and alter them, it cannot easily catch your ongoing links and transform them in the right profile.php+id+hash form.

因此，我将使用的唯一 rewriteRule 是捕获基于昵称的条目并将它们在内部发送到应用程序中的配置文件重定向器脚本.类似的东西:

So the only rewriteRule I would use is one catching nickname based entries and sending them internally to a profile redirector script in your application. Something like:

RewriteRule  ^/nick/(.*)$ /profile-by-nick.php?nick=$1 [L,QSA]

然后在这个 php 脚本中，您可以执行您想要提供的与 profile.php 中相同的任务.使用编写良好的 php 应用程序很容易在应用程序内部提供内部重定向，不要在 profile.php 脚本上发送真正的 http 302 重定向.使用函数、类等

Then inside this php script you can do what you want to provide the same task as in profile.php. With a well written php app it's quite easy to provide internal redirection inside the application, do not send a real http 302 redirection on the profile.php script. use functions, classes, etc.

如果您真的希望 apache 直接将正确的 profile.php?id=&hash= url 发送到您的应用程序(可能是因为您的 php 代码是由小马编写的 :-) )，那么您可以按照建议检查 RewriteMap@David Ravetti 并获取一个作为守护进程运行的外部脚本，并提供到 apache 的昵称->id+hash 映射.但它似乎真的更复杂，不是处理它的正确地方.此脚本需要权限才能加载您的数据库，以及您的应用程序已有的表结构信息.

If really you want apache to directly send the right profile.php?id=&hash= url to your application (maybe because your php code was written by a poney :-) ) then you could check RewriteMap as suggested by @David Ravetti and get an external script running as a daemon and providing the nickname->id+hash mapping to apache. But it seems really more complex, not the right place to handle it. This script will need rights to load you database, and informations on table structures that your application already have.

这篇关于用户配置文件的 URL 重写的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！