Re: User registration
Posted: Thu Jul 24, 2008 2:45 am
Well .. there's a fine line between helping you and me writing your entire app. We're coming close to that I feel.
So, this is your registration code re-written more along the lines of what I would have done. This is by no means perfect, and could certainly use some honing, but I've stayed as close to your original code as possible so that you can see how to convert your login page to match.
So, take a look at that, try and get the feel for what it is doing, and then try and apply that to the login page. Don`t worry too much if you make something that doesn't work .... it's just important that you try. I certainly wont be coding for you like this again, purely because it is better for you to learn by doing than it is to just be given the answers. I've done this purely to give you an example of good practice using your own code as a base.
As for the password. I'm recommending a process change. I would hash the password (and have done in the above code) before storing the password, and then hash the users login password and compare it to the stored hash. The process change comes from the fact that hashes cant be returned the original value. This means that you cannot tell the user their old password because not even you with full database access can tell what a users password is.
So your 'forgotten password' process would invlove randomly generating a password, hashing and saving it, then sending the user the unhashed version while you still have access to it. Then when the user gets the email, they can log in and are free to change it to whatever they like.
A simple ... ... might be sufficient, but I like to use a salted hash-in-hash, just for an added level of complexity.
Anyhow, I hope this helps. Let me know how you go with the new merged login page.
Cheers
[edit] This is entirely untested by the way ... so it may take a few fixes to get it to work. Let me know if it's not going too well for you.
So, this is your registration code re-written more along the lines of what I would have done. This is by no means perfect, and could certainly use some honing, but I've stayed as close to your original code as possible so that you can see how to convert your login page to match.
Code: Select all
<?php
// Never hurts to keep sessions around in case you need them
session_start();
// If form data is posted, run processing script
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
//include function files for this application
require("PDMS_fns.php");
// Check email
if (!(isset($_POST['email']) && valid_email($_POST['email']))) $error['email'] = 'Not a valid email address';
// check username length
if(!isset($_POST['username']) || (strlen($_POST['username']) < 6 ) || (strlen($_POST['username']) > 16)) $error['username'] = 'Username must be between 6 to 16 characters';
// check that passwords are OK
if((isset($_POST['password']) && isset($_POST['password2'])) {
if($_POST['password'] !== $_POST['password2']) $error['password'] = 'Passwords do not match';
if (strlen($_POST['password']) < 6 || strlen($_POST['password']) > 16) $error['password'] -'Password must be between 6 to 16 characters';
} $error['password'] = 'Password data not found. Possible form error.';
// Proceed with processing if no errors have occurred
if(!isset($error)) {
// Connect to database
$conn = db_connect($server, $username, $password) or die('Unable to connect to the database');
// Select database
mysql_select_db('database_name', $conn) or die('Could not select database.');
// make sure user is unique - notice we have used mysql_escape_string to help secure the user input
$username = mysql_escape_string($_POST['username']);
$result = mysql_query("select * from users where username='$username'");
if($result) {
if(mysql_num_rows($result) < 1) {
// Passed all validation and checking, ready to insert
$password = md5('secret_salt' . md5($_POST['password']));
$email = mysql_escape_string($_POST['email']);
$result = mysql_query("insert into users values('', '$username', '$password', '$email')");
if($result) {
// Smiles all round - we're done here so let's move on
header('Location: http://www.yoursite.com/login.php');
exit();
} else $error['database'] = 'An unknown database error has occurred on insert';
} else $error['username'] = 'Username already exists. Please select a different username';
} else $error['database'] = 'An unknown database error has occurred on select';
}
}
// If we made it this far, either this is a non-submit, or there was an error registering
// Either way, begin display of the form
include "header1.php";
?>
<div id="content">
<?php
if(isset($error)){
?>
<div>
<?php foreach($error as $key=>$item) echo "<strong>$item</strong></br>"; ?>
</div>
<?php
}
?>
<div id="left" style="left: 0px; top: 0px">
<ul>
<li>Email address :</li>
<li>Preferred username :</li>
<li>Password :</li>
<li>Confirm password :</li>
</ul>
</div>
<div id="right">
<p style="left: -1px; top: 0px"><font size="4.5px">REGISTER</font></p>
<form action="register.php" name="register_form">
<input type="text" size="20" name="email"<?php if(isset($_POST['email'])) echo " value = \"{$_POST['email']}\""; ?>><br><br>
<input type="text" size="20" name="username"<?php if(isset($_POST['username'])) echo " value = \"{$_POST['username']}\""; ?>> (6 to 16 chars)<br><br>
<input type="password" size="20" name="password"<?php if(isset($_POST['password'])) echo " value = \"{$_POST['password']}\""; ?>> (6 to 16 chars)<br><br>
<input type="password" size="20" name="password2"<?php if(isset($_POST['password2'])) echo " value = \"{$_POST['password2']}\""; ?>><br><br>
<input type="submit" name="Submit" value="submit">
<input type="reset" name="Reset" value="reset">
</form>
</div>
</div>
As for the password. I'm recommending a process change. I would hash the password (and have done in the above code) before storing the password, and then hash the users login password and compare it to the stored hash. The process change comes from the fact that hashes cant be returned the original value. This means that you cannot tell the user their old password because not even you with full database access can tell what a users password is.
So your 'forgotten password' process would invlove randomly generating a password, hashing and saving it, then sending the user the unhashed version while you still have access to it. Then when the user gets the email, they can log in and are free to change it to whatever they like.
A simple ...
Code: Select all
md5($_POST['password']);Anyhow, I hope this helps. Let me know how you go with the new merged login page.
Cheers
[edit] This is entirely untested by the way ... so it may take a few fixes to get it to work. Let me know if it's not going too well for you.