Page 1 of 1

Custom user registration in phpBB

Posted: Sat Sep 15, 2007 4:01 am
by kertz
Well I tried to put this post in Code Snippets and tutorials and they don't allow me there! :( So I posted this here...


I have found that most of the time when you register in a website, you'll need to register for the phpBB forum separately! This is really disgusting for the user... So here's a php script which will register the user with phpBB! All you need to do is the following steps...

1) First Create a file named config.php and copy the following code to it

Code: Select all

<?php
$conn=mysql_connect("localhost","root","password")//change the password to suit yours
    or die("mysql_error()");
$db=mysql_select_db("mysite_db")//change mysite_db to your database name
    or die(mysql_error());
?>
But keep in mind that I used mySQL so you've got to change the syntax according to it to work for other databases!

2)Now create the main file preferably index.php or register.php and copy the following code

Code: Select all

<?php

 /**
 Description: This is an example of the function which can be used to register your site user with the phpBB forum when he/she registers with your custom registration procedure. The function is very simple. You just need to supply the username,password(not encrypted, because the code does it) and the email, the rest is done by the code. Remember that you need to validate the e-mail yourself using custom code. You can use the activate_user function to activate the user after the email has been verified. 
 
 Keep in mind that I consider that you have not given automatic account activation. If you have given there is no need to use the activate _user function. But I would reccomend you to not use automatic activation.
 
 If you encounter any problem feel free to ask at http://www.devunite.com
 */

include "config.php"; // the database configuration file. Update this to connect to your databse

function register_phpBB($username,$user_password,$user_email){
	//fucntion to regiter with phpBB

	//find the next userid
	$query="select max(user_id) as total from phpbb_users";
	$results=mysql_query($query) or die(mysql_error());
	if($results){
		$row=mysql_fetch_row($results);//store the result in $row array
		$user_id=++$row['0'];//increment the currnet user_id by 1
	}
	//encrypt the password using md5
	$enc_password=md5($user_password);

	mysql_free_result($results);//free the result
	
	//insert new registration details to database
	$query="insert into phpbb_users(user_id,username,user_regdate,user_password,user_email)"; 
	$query=$query."values('".$user_id."','".$username."',".time().",'".$enc_password."','".$user_email."')";
	$results=mysql_query($query) or die(mysql_error());
	if($results){
		echo "Successfully registered with phpBB";
		return 1;
	}else{
		echo "Registration failed";
		return 0;
	}
}

//function to activate the user. Give the user id as the parameter.
function activate_user($user_id){
	$query="update phpbb_users set user_active=1 where user_id=".$user_id;
	$results=mysql_query($query) or die(mysql_error());	
	if(!$results){
		echo "The account has been activated!";
	}	
}

//check if the form was submitted
if((isset($_POST['Submit']) && $_POST['Submit']=="Register")){
	//check whether the username and e-mail already exist or not
	$sql="select username,user_email from phpbb_users where username='".$_POST['username']."' or user_email='".$_POST['email']."'";
	$results=mysql_query($sql) or die(mysql_error());
	if(mysql_num_rows($results)>0){
		$row=mysql_fetch_row($results);
		if($_POST['username']==$row['0']){//check the username
			echo "Username already taken!";
		}elseif($_POST['email']==$row['1']){//checks the e-mail
			echo "The e-mail already used for registration!";
		}else{//username and e-mail not used
			//register new user to access phpBB forum
			register_phpBB($_POST['username'],$_POST['password'],$_POST['email']);	
		}
	}else{
		//register new user to access phpBB forum
		register_phpBB($_POST['username'],$_POST['password'],$_POST['email']);
	}
}else{
?>
<!---- the form to take input ----!>
<html>
<body>
<form action="<? $_SERVER['PHP_SELF'] ?>" method="post">
<input type="text" value="username" align="LEFT" name="username" />
<br>
<input type="password" value="password" name="password" />
<br>
<input type="text" value="email" name="email" />
<br>
<input type="submit" value="Register" name="Submit" />
</form>
</body>
</html>
<?
}
?>
After this run the above file in your server and register using the sample form. You will need to execute the activate_user function in order to activate the newly registered user if you have disabled automatic activation!

I wish you'll find this tutorial useful! :D

Posted: Sat Sep 15, 2007 12:49 pm
by s.dot
Hmm. I'm going to move this to Coding Critique, simply because it is more of a snippet and not a PHP coding problem or question. And snippets must pass through the coding critique board before going to the snippets board. :)

Posted: Sat Sep 15, 2007 4:09 pm
by jeffery
scottayy wrote:And snippets must pass through the coding critique board before going to the snippets board. :)
I didn't know that. I have been waiting for one of my snippets to be approved :( I'll post it here then.

Posted: Sat Sep 15, 2007 9:15 pm
by tecktalkcm0391

Code: Select all

<form action="<? $_SERVER['PHP_SELF'] ?>" method="post"> 
That is a no no. Define the action or just leave it blank (don't know if that is the same security risks or not).

Posted: Sat Sep 15, 2007 9:46 pm
by superdezign
tecktalkcm0391 wrote:(don't know if that is the same security risks or not).
The security risk comes from outputting data that can be altered by the user, i.e. PHP_SELF. It's an XSS risk.

Posted: Sat Sep 15, 2007 11:18 pm
by TheMoose
1: It doesn't take into account custom PHPBB table prefixes (you have phpbb_users, for example)
2: It uses the currently active MySQL connection to do the actions. So if I put in a separate connection between the include and the function definitions, it will run off the last MySQL connection I created (even though you assign a connection variable, you don't use it).
3: In your query results (the associated arrays), you use indexes instead of column names. The column names are static for PHPBB, so why not use the name, instead of the index? It's more user-friendly when modifying the code as you know right away which column you're referencing.
4: user_id in the prefix_users table is a mediumint, yet you're inserting it as a string
5: SQL Injection is prevalent in just about every query you run, you're not filtering any input whatsoever

It's a good start, just needs more work to make it secure and more ready to integrate with custom code.

Posted: Sun Sep 16, 2007 7:01 am
by The Phoenix
Is this for phpbb2 or phpbb3?

Posted: Mon Sep 17, 2007 2:37 am
by kertz
its made in phpBB 2 and by the way I just made it as a ground for more work... Its not yet secure or highly efficient... I thought maybe someone will find it useful! :D By the way I'll work on it to make it beter and thanks for all your comments that would be helpful!

Posted: Mon Sep 17, 2007 2:42 am
by kertz
tecktalkcm0391 wrote:

Code: Select all

<form action="<? $_SERVER['PHP_SELF'] ?>" method="post"> 
That is a no no. Define the action or just leave it blank (don't know if that is the same security risks or not).

Well I didn't know that there is a security risk with that! Even the best reference books on PHP use it!

Posted: Mon Sep 17, 2007 6:59 am
by feyd
kertz wrote:Well I didn't know that there is a security risk with that! Even the best reference books on PHP use it!
There actually is, and those books are incorrect for using it. Unfortunately, not all books go through thorough security checks, let alone quality code checks.

Posted: Tue Sep 18, 2007 5:45 am
by kertz
well then whats the alternative?

Posted: Tue Sep 18, 2007 7:08 am
by feyd
kertz wrote:well then whats the alternative?
Discontinuing the use of books. Also discontinuing the use of old (poorly written) tutorials and code examples. Unfortunately, the vast number of examples available are generally poorly written.

Re: Custom user registration in phpBB

Posted: Tue Apr 26, 2011 8:14 am
by maxkinn
Hi,
Quite useful information
but How can I call the activation function in order to make registration successful

thanks

Re: Custom user registration in phpBB

Posted: Sat Oct 29, 2011 10:02 am
by Jessicaishot
Hi all, I am trying to have phpbb insert username, user_email in to mytable where do I add my query as I am unfamiliar with phpbb3. I looked in includes/functions.php but again this is my firt time working with phpbb3. Here is what I was trying after a member registers on myboard the username,user_email are inseted into mytable. I only need these to feilds everthing else is not needed. So what I need is to know where phpbb3 registration page is and if I am looking in the right place.
Thanks everyone!

P.S. If someone can give me a (on delete, on update, on insert) That would be great.

Re: Custom user registration in phpBB

Posted: Mon Oct 31, 2011 5:40 am
by Mordred
This code is utter crap, do not use it. Funny, the guys caught the XSS but didn't catch the glaring SQL injection nor the concurrency problem with user ids.