You'd have to use a DNS wildcard and define a "server alias" in your web server's configuration. Do an internet search for a phrase like "Wildcard DNS php" for examples.

Obvious tangential question: Is the php involvement needed for some reason beyond what you've said here? If all you're looking at is redirecting and rewriting between url-with-query and url-using-subdomain, with the identical variable format ("01var") either way, you should be able to do it directly in the config file or htaccess. Or, uh, equivalent in That Other Server.

The variable is
:: shuffling papers ::
$_SERVER[HTTP_HOST]

Well, ###. I could have made that up and I'd have been right.

Enabling subdomains-- possibly including wild-card subdomains --is of course a completely different issue from the mechanics of redirecting and/or rewriting.

Yes, that is necessary to use some countermeasure against hackers (trying brute force attacks).
For every user is unique url to login. So the user can login only if he tries to login from the unique url associated only with the user.
For example website login form is in file login.php
I mean:
1) user enters business name
2) the business name is recorded in mysql
3) the business name from mysql is placed at the end of url, like login.php?businessname. This is the url for particular user to login
4) when any of users type url like login.php?xyz(1,2,3 etc) login form is displayed (echo).
5)in that login form user types username and password.
6) get/create php variable that contains url after ? sign
7) compare if such variable exists in mysql and match username
8)if not exist, error message; if exists, check if password is correct

By the way would like to know thoughts how effective is such solution. Here is example [secure.freshbooks.com...]

And by the way... question. Is it possible to create whitelist of bots that are allowed to see website? So if bot is not in the whitelist, it sees something blank (does not see input form code).

Don't even let the robots get close to your php. If they're not whitelisted, slam a 403 in their face.

If the site requires a login, do you need to admit any robots anywhere? Don't know about anyone else, but as a user it makes me insane when something comes up in a search engine and when I go there it turns out I have to log in. And they don't just want my name, they want money. Sorry, site, but you're just not that desirable.

Could you advice good way not to allow bad bots to see code? I have found list of bad bots... but suppose such list changes frequently

One way:

RewriteCond %{something-here} one distinguishing feature [OR]
RewriteCond %{something-here} another distinguishing feature [OR]
RewriteCond %{something-here} third distinguishing feature
RewriteRule special-protected-page - [F]

There are other ways. Just don't ask me about IIS. Closed book to me and I'm perfectly happy to keep it that way.

For good robots such as major search engines, a simple robots.txt Disallow line will do it. But bad robots respond only to brute force.

OK. Thank you for answers