The following site is my first attempt with PHP and MySQL. As a result, the site has no purpose other than to be built for me to learn with. In time, it will include other features, for now, I’m simply refining what I know about logging in and registration. I hope to improve upon both, but, first, I’d like to know that my code is being efficient and that I’m not forgetting various methods of security.
index.php (discussions.php and usercp.php are the same)
<?php session_start();
include("func.php");
include("db.php"); ?>
<html>
<head>
<title>Shanked's Site</title>
<link rel="stylesheet" href="styles.css" type="text/css" />
</head>
<body class="main">
<div class='container'>
<?php displayHeader(); ?>
<div class="content">
</div>
<div class="footer">
</div>
</div>
</body>
</html>register.php
<?php session_start();
include("func.php");
include("db.php"); ?>
<html>
<head>
<title>Registration</title>
<link rel="stylesheet" href="styles.css" type="text/css" />
<?php
$do = $_GET['do'];
$isAdded = 1;
if ($do=="addMember")
{
$isAdded = doAddMember($_POST['user'], $_POST['password'], $_POST['email']);
}
?>
</head>
<body class="main">
<div class='container'>
<?php displayHeader(); ?>
<div class="content">
<div class="boxTitle">
Register for Shanked'S Site!
</div>
<div class="box">
<?php
if ($isAdded && $do=="addMember")
{
echo "<div class='regSuccess'>
Registration successful! Please check your e-mail to validate your account.";
echo "</div>";
}
elseif (!$isAdded && $do=="addMember")
{
echo "<div class='regFail'>";
doErrorDump();
echo "</div>";
}
?>
<div class="regLeftCol">
<div class="inLabel">Username:</div>
<div class="inLabel">Password:</div>
<div class="inLabel">E-mail:</div>
</div>
<div class="regRightCol">
<form action="?do=addMember" method="POST">
<div class="inLabel">
<input type="text" name="user" class="genText" />
</div>
<div class="inLabel">
<input type="password" name="password" class="genText" />
</div>
<div class="inLabel">
<input type="text" name="email" class="genText" />
</div>
<input type="submit" value="Register" />
</form>
</div>
<div class="clear">
</div>
</div>
</div>
<div class="footer">
</div>
</div>
</body>
</html>validate.php
<?php session_start();
include("func.php");
include("db.php");
include ("login.php"); ?>
<html>
<head>
<title>Validate</title>
</head>
<body>
<?php
$id = $_GET['id'];
$id = mysql_real_escape_string($id);
if (!$_SESSION['login'])
{
if (isValidMD5_ID($id))
{
echo "Validation successful, you are now fully registered. Returning you to the home page...";
echo "<meta http-equiv='refresh' content='5;index.php' />";
}
else
{
echo "ID not registered with Shanked'S Site. Please check your e-mail and make sure that you have clicked the link or copy/pasted it appropriately";
}
}
else
{
echo "You already logged in. Please logout before validating a new account.";
}
echo "<br />Return <a href='index.php'>home</a>";
?>
</body>
</html>login.php
<?php
if (!$_SESSION['login'] && $_COOKIE['login']==true)
{
$_SESSION['login'] = true;
$_SESSION['user'] = $_COOKIE['user'];
$_SESSION['uid'] = $_COOKIE['uid'];
}
function doLogin($user, $password)
{
if (!$user)
{
doLoginError("Invalid username. Please enter a username.");
return false;
}
if (!$password)
{
doLoginError("Invalid password. Please enter a password.");
return false;
}
$user = mysql_real_escape_string($user);
$userDB = mysql_query("SELECT * FROM `Users` WHERE name='$user'");
$userDB = mysql_fetch_array($userDB);
if ($userDB['name'] == null)
{
doLoginError("Username does not exist, please check your username and try again.");
return false;
}
if ($userDB['validated']==0)
{
doLoginError("Your account is not yet validated. Please check your e-mail and validate your account.");
return false;
}
$passMD5 = md5($password);
if ($passMD5!=$userDB['pass'])
{
doLoginError("Password is incorrect. Please check your password and make sure it's valid.");
return false;
}
$_SESSION['login'] = true;
$_SESSION['user'] = $userDB['name'];
$_SESSION['uid'] = $userDB['userID'];
$cookieTime = time() + 60*60*24*30*365;
setcookie("user", $_SESSION['user'], $cookieTime);
setcookie("uid", $_SESSION['uid'], $cookieTime);
setcookie("login", true, $cookieTime);
echo "<meta http-equiv='refresh' content='0.1;" . $_SERVER['PHP_SELF'] . "' />";
return true;
}
function doLogOut()
{
$_SESSION['user'] = null;
$_SESSION['uid'] = null;
$_SESSION['login'] = false;
setcookie('user', "", time()-3600);
setcookie('uid', "", time()-3600);
setcookie('login', "", time()-3600);
echo "<meta http-equiv='refresh' content='0.1;" . $_SERVER['PHP_SELF'] . "' />";
return true;
}
?>error.php
<?php session_start(); ?>
<html>
<head />
<body>
<h1>Error!</h1>
Sorry, something failed:<br />
<?php
if ($_SESSION['dbErrVal']==1)
{
echo "MySQL Error: ";
echo $_SESSION['dbError'] . "<br />";
$_SESSION['dbError']="null";
}
$_SESSION['dbErrVal'] = 0;
?>
Return <a href="index.php">home</a>
</body>
</html>func.php
<?php
function isRegex($string, $regExp)
{
if (!$string || !$regExp)
{
return false;
}
if (filter_var($string, FILTER_VALIDATE_REGEXP, array("options"=>array("regexp"=>$regExp))))
{
return true;
}
else
{
return false;
}
}
function doMySQL_Error()
{
$_SESSION['dbError'] = "Unidentified Error. Connected, DB not selected.";
$_SESSION['dbErrVal'] = 1;
if (mysql_error())
{
$_SESSION['dbError'] = mysql_error();
}
echo "<meta http-equiv='refresh' content='0.1;error.php' />";
}
function isInt($num)
{
if (filter_var($num, FILTER_VALIDATE_INT))
{
return true;
}
else
{
return false;
}
}
function addError($error)
{
if ($_SESSION['errVal']==0)
{
$_SESSION['errVal']=1;
$_SESSION['err']=$error;
}
elseif ($_SESSION['errVal']==1)
{
$_SESSION['errVal'] = 2;
$msg = $_SESSION['err'];
$_SESSION['err'] = array( $msg, $error);
}
else
{
$_SESSION['err'][] = $error;
}
}
function doLoginError($error)
{
$_SESSION['errLogin'] = $error;
$_SESSION['errVal'] = 3;
}
function doErrorDump($doDump = true)
{
if ($_SESSION['errVal']==2)
{
echo "There were multiple errors with
your registration: <br />";
echo "<ul class='errorList'>";
for ($i=0;$i<count($_SESSION['err']);$i++)
{
echo "<li>" . $_SESSION['err'][$i] . "</li>";
}
echo "</ul>";
}
elseif ($_SESSION['errVal']==1)
{
echo $_SESSION['err'];
}
if ($doDump)
{
$_SESSION['errVal'] = 0;
$_SESSION['err'] = null;
}
}
function displayHeader()
{
include("login.php");
$state = $_GET['state'];
if (!$state) $state=0;
switch ($state) {
case 0:
break;
case 1:
if (!doLogin($_POST['user'], $_POST['password']))
{
echo "<meta http-equiv='refresh' content='0.1;" . $_SERVER['PHP_SELF'] . "' />";
}
break;
case 2:
if (!doLogOut())
{
echo "<meta http-equiv='refresh' content='0.1;" . $_SERVER['PHP_SELF'] . "' />";
}
break;
}
echo "<div class='header'>";
/*echo "<div class='serverInfo'>" . $_SERVER['PHP_SELF'] . "</div>";*/
if ($_SESSION['errVal']==3 && $state==0)
{
echo "<div class='loginError'>"
. $_SESSION['errLogin'] .
"</div>";
$_SESSION['errLogin'] = null;
$_SESSION['errVal'] = 0;
}
echo " <div class='login'>";
if ($_SESSION['login'])
{
echo "<span class='loginText'>Logged in: </span><a class='loginLink' href='usercp.php' id='ln'>"
. $_SESSION['user'] .
"</a>
<span class='loginText'> | </span>
<form class='login' method='POST' action='?state=2' name='logout'>
<a id='lo' class='loginLink' target='_blank' href='logout.php' onClick='document.logout.submit();return false;'>Logout</a>
</form>";
}
else
{
echo "<form method='POST' action='?state=1' name='login'
class='login'>
<span class='loginText'>Username:</span> <input class='login' type='text' name='user' />
<span class='loginText'>Password:</span> <input class='login' type='password' name='password' />
<a id='ll' class='loginLink' target='_blank' href='login.php' onClick='document.login.submit();return false;'>Login</a>
</form>
<span class='loginText'>|</span>
<a id='lr' class='loginLink' href='register.php'>Register</a>";
}
echo " </div>
<div class='banner'>
</div>
<div class='nav'>
<div class='LeftCap'>
</div>
<div class='navBar'>
<ul class='navBarList'>
<li class='navButton'>
<a href='index.php' class='navButton'>
Home
</a>
</li>
<li class='navSpacer'>
|
</li>
<li class='navButton'>
<a href='discussions.php' class='navButton'>
Discussions
</a>
</li>
<li class='navSpacer'>
|
</li>
<li class='navButton'>
<a href='usercp.php' class='navButton'>
User CP
</a>
</li>
</div>
<div class='RightCap'>
</div>
</div>
</div>";
}
function doAddMember($user, $password, $email)
{
$isErr = false;
if (!$user)
{
addError("No user value entered. Please enter a value.");
return false;
}
if (!$password)
{
addError("No password value entered. Please enter a value.");
return false;
}
if (!$email)
{
addError("E-mails are required in order to validate your account.");
return false;
}
if (!isRegex($user, "/^[A-Za-z][\w'-]+$/"))
{
$isErr = true;
addError("Usernames must begin with a letter and can only contain letters, numbers, hyphens and apostrophes.");
}
if (!isRegex($password, "/^\w+$/"))
{
$isErr = true;
addError("Passwords can only contain letters and/or numbers.");
}
if (!filter_var($email, FILTER_VALIDATE_EMAIL))
{
$isErr = true;
addError("Invalid e-mail. Proper format: [email protected] (some hosts may be at .net, .org, etc...)");
}
$user = mysql_real_escape_string($user);
$password = mysql_real_escape_string($password);
$email = mysql_real_escape_string($email);
$password = md5($password);
$checkUser = mysql_query("SELECT name FROM `Users` WHERE name='$user'");
$checkUser = mysql_fetch_array($checkUser);
if ($checkUser['name']==$user)
{
$isErr = true;
addError("The chosen username is already in use. Please choose another.");
}
if ($isErr)
{
return false;
}
$userMD5 = md5($user);
if (!mysql_query("INSERT INTO `Users` (name, pass, level, email, userMD5, validated) VALUES ('$user','$password','Basic','$email', '$userMD5', '0')"))
{
doMySQL_Error();
return false;
}
$subject = "Validate your Shanked'S account!";
$msg = "
Hello!\n
\n
This e-mail has been paired to an account\n
at the following site:\n
http://shankeds.web44.net/\n
\n
In order to validate, please click or\n
copy+paste the following link:\n
http://shankeds.web44.net/validate.php?id=" . $userMD5 . "\n
\n
Thank you for registering!";
$msg=wordwrap($msg, 70);
$header = "From: Shanked'S Admin <[email protected]>" . "\r\n";
if (!mail($email, $subject, $msg, $header))
{
addError("Registration Successful, but the mail function failed.");
return false;
}
return true;
}
function isValidMD5_ID($id)
{
$checkID = mysql_query("SELECT userMD5 FROM `Users` WHERE userMD5='$id'");
$checkID = mysql_fetch_array($checkID);
if ($checkID['userMD5']!=null)
{
if (!mysql_query("UPDATE `Users` SET validated='1' WHERE userMD5='$id'"))
{
doMySQL_Error();
return false;
}
else
{
return true;
}
}
else
{
return false;
}
return false;
}
?>db.php (various aspects masked by asterisks)
<?php
// this username/password is for database access.
$dbmainuser="***";
$dbmainpass="***";
// this is the name of the database.
$dbmainname="***";
$conn = mysql_connect("mysql1.000webhost.com", $dbmainuser, $dbmainpass);
$_SESSION['dbConn'] = $conn;
if (!$conn)
{
$_SESSION['isConnectDB'] = false;
doMySQL_Error();
}
else
{
if (mysql_select_db( $dbmainname, $conn))
{
$_SESSION['isConnectDB'] = true;
}
else
{
$_SESSION['isConnectDB'] = false;
doMySQL_Error();
}
}
?>I figure my code looks pretty awful to those with experience. The help I’m seeking is in suggestions and directions that will help me become a more efficient coder in PHP.