Hello!
I’m coding my first php website right now and I have some problems… one of them is my login/register system
I can register a user but the user can’t activate his account (send email using php mail() work, but the link in the email won’t work) and he can’t log in, change password or anything…
The mail() function work on my server so I know that it works even if I’m running localhost right now (for testing)
Here is the register.php:
[php]
<?php include 'func/init.php'; logged_in_redirect(); include 'template/overall/header.php'; ?>Register New Account
<?php if (empty($_POST) === false) { $required_fields = array('username', 'password', 'password_again', 'email'); foreach($_POST as $key=>$value) { if (empty($value) && in_array($key, $required_fields) === true) { $errors[] = 'Fields marked with an asterisk are required'; break 1; } } if (empty($errors) === true) { if (user_exists($_POST['username']) === true) { $errors[] = 'Sorry, the username \'' . $_POST['username'] . '\' is already taken.'; } if (preg_match("/\\s/", $_POST['username']) == true) { $errors[] = 'Your username can\'t contain any spaces'; } if (strlen($_POST['username']) > 200) { $errors[] = 'Your username must be less then 200 characters'; } if (strlen($_POST['password']) < 6) { $errors[] = 'Your password must be at least 10 characters'; } if (strlen($_POST['password']) > 200) { $errors[] = 'Your password must be less then 200 characters'; } if ($_POST['password'] !== $_POST['password_again']) { $errors[] = 'Your passwords do not match'; } if (strlen($_POST['first_name']) > 200) { $errors[] = 'Your first name must be less then 200 characters'; } if (strlen($_POST['last_name']) > 200) { $errors[] = 'Your last name must be less then 200 characters'; } if (filter_var($_POST['email'], FILTER_VALIDATE_EMAIL) === false) { $errors[] = 'A valid email address is required'; } if (email_exists($_POST['email']) === true) { $errors[] = 'Sorry, the email \'' . $_POST['email'] . '\' is already in use.'; } } } ?><?php if (isset($_GET['success']) === true && empty($_GET['success']) === true) { echo 'Thank you for signing up on my website! You\'ve got a link on the email you entered, click on it to complete your registration.'; } else { if (empty($_POST) === false && empty($errors) === true) { $register_data = array( 'username' => $_POST['username'], 'password' => $_POST['password'], 'first_name' => $_POST['first_name'], 'last_name' => $_POST['last_name'], 'email' => $_POST['email'], 'email_code' => md5($_POST['username'] + microtime()) );
register_user($register_data);
header('Location: register.php?success');
exit();
} else if (empty($errors) === false){
echo output_errors($errors);
}
?>
<div class="row">
<div class="label">Password*</div> <!-- end .label -->
<div class="input">
<input type="password" id="password" class="detail" name="password">
</div> <!-- end .input -->
<div class="context">This should be something safe that only you know about, feel free to use numbers, uppercase and lowercase letters </div> <!-- end .context -->
</div> <!-- end .row -->
<div class="row">
<div class="label">Confirm password*</div> <!-- end .label -->
<div class="input">
<input type="password" id="password" class="detail" name="password_again">
</div> <!-- end .input -->
<div class="context">This should be something safe that only you know about, feel free to use numbers, uppercase and lowercase letters </div> <!-- end .context -->
</div> <!-- end .row -->
<div class="row">
<div class="label">First name</div> <!-- end .label -->
<div class="input">
<input type="text" id="first_name" class="detail" name="first_name" value="<?php echo isset($_POST['first_name'])? $_POST['first_name'] : ''; ?>" />
</div> <!-- end .input -->
<div class="context">e.g. John or Jane</div> <!-- end .context -->
</div> <!-- end .row -->
<div class="row">
<div class="label">Last name</div> <!-- end .label -->
<div class="input">
<input type="text" id="last_name" class="detail" name="last_name" value="<?php echo isset($_POST['last_name'])? $_POST['last_name'] : ''; ?>" />
</div> <!-- end .input -->
<div class="context">e.g. Smith or Doe</div> <!-- end .context -->
</div> <!-- end .row -->
<div class="row">
<div class="label">Your email address*</div> <!-- end .label -->
<div class="input">
<input type="email" id="email" class="detail" name="email" value="<?php echo isset($_POST['email'])? $_POST['email'] : ''; ?>" />
</div> <!-- end .input -->
<div class="context">We will not share your email with anyone or spam you with messages either</div> <!-- end .context -->
</div> <!-- end .row -->
<div class="submit">
<input type="submit" id="submit" name="submit" value="Register" />
</div> <!-- end .submit-->
</form>
[/php]
and users.func.php:
[php]
<?php function change_profile_image($user_id, $file_temp, $file_extn) { $file_path = 'images/profile/' . substr(md5(time()), 0, 10) . '.' . $file_extn; move_uploaded_file($file_temp, $file_path); mysql_query("UPDATE `users` SET `profile` = '" . mysql_real_escape_string($file_path) . "' WHERE `user_id` = " . (int)$user_id); } function mail_users($subject, $body) { $query = mysql_query("SELECT `email`, `username` FROM `users` WHERE `allow_email` = 1"); while (($row = mysql_fetch_assoc($query)) !== false) { email($row['email'], $subject, "Hello " . $row['username'] . ",\n\n" . $body); } } function has_access($user_id, $type) { $user_id = (int)$user_id; $type = (int)$type; return (mysql_result(mysql_query("SELECT COUNT(`user_id`) FROM `users` WHERE `user_id` = $user_id AND `type` = $type"), 0) == 1) ? true : false; } function recover($mode, $email) { $mode = sanitize($mode); $email = sanitize($email); $user_data = user_data(user_id_from_email($email), 'user_id', 'username'); if ($mode == 'username') { email($email, 'Your username', "Hello!\n\nYour username is: " . $user_data['username'] . "\n\n- Busarna4"); } else if ($mode == 'password') { $salt = hash('sha512', uniqid(mt_rand(), true), microtime() . 'newpasswd'); $hash = $salt . $password; for ( $i = 0; $i < 100000; $i ++ ) { $hash = hash('sha512', $hash); } $hash = $salt . $hash; } $generated_password = $hash; change_password($user_data['user_id'], $generated_password); update_user($user_data['user_id'], array('password_recover' => '1')); email($email, 'Your password recovery', "Hello " . $user_data['username'] . "\n\nYour new password is: " . $password . "\n\n- Busarna4"); } function update_user($user_id, $update_data) { $update = array(); array_walk($update_data, 'array_sanitize'); foreach($update_data as $field=>$data) { $update[] = '`' . $field . '` = \'' . $data . '\''; } mysql_query("UPDATE `users` SET " . implode(', ', $update) . " WHERE `user_id`= $user_id"); } function activate($email, $email_code) { $email = mysql_real_escape_string($email); $email_code = mysql_real_escape_string($email_code); if (mysql_result(mysql_query("SELECT COUNT(`user_id`) FROM `users` WHERE `email` = '$email' AND `email_code` = '$email_code' AND `active` = 0"), 0) == 1) { mysql_query("UPDATE `users` SET `active` = 1 WHERE `email` = '$email'"); return true; } else { return false; } } function change_password($user_id, $password) { $user_id = (int)$user_id; $password = md5($password); mysql_query("UPDATE `users` SET `password` = '$password', `password_recover` =0 WHERE `user_id` = $user_id"); } function register_user($register_data) { if(isset($_POST['password'])) { $password = $_POST['password']; $salt = hash('sha512', uniqid(mt_rand(), true), microtime() . 'newpasswd'); $hash = $salt . $password; for ( $i = 0; $i < 100000; $i ++ ) { $hash = hash('sha512', $hash); } $hash = $salt . $hash; } $register_data['password'] = $hash; $fields = '`' . implode('`,`', array_keys($register_data)) . '`'; $data = '\'' . implode('\', \'', $register_data) . '\''; mysql_query("INSERT INTO `users` ($fields) VALUES ($data)"); email($register_data['email'], 'Activate your account', "Hello " . $register_data['username'] . ",\n\n You need to activate your account, use the link below to do that:\n\n http://localhost/busarna4-register/activate.php?email=" . $register_data['email'] . "&email_code=" . $register_data['email_code'] . " \n\n- Busarna4"); } function user_count() { return mysql_result(mysql_query("SELECT COUNT(`user_id`) FROM `users` WHERE `active` = 1"), 0); } function user_data($user_id) { $data = array(); $user_id = (int)$user_id; $func_num_args = func_num_args(); $func_get_args = func_get_args(); if ($func_num_args > 1) { unset($func_get_args[0]); $fields ='`' . implode('`, `', $func_get_args) . '`'; $data = mysql_fetch_assoc(mysql_query("SELECT $fields FROM `users` WHERE `user_id` = $user_id")); return $data; } } function logged_in() { return (isset($_SESSION['user_id'])) ? true : false; } function user_exists($username) { $username = sanitize($username); return (mysql_result(mysql_query("SELECT COUNT(`user_id`) FROM `users` WHERE `username` = '$username'"), 0) == 1) ? true : false; } function email_exists($email) { $email = sanitize($email); return (mysql_result(mysql_query("SELECT COUNT(`user_id`) FROM `users` WHERE `email` = '$email'"), 0) == 1) ? true : false; } function user_active($username) { $username = sanitize($username); return (mysql_result(mysql_query("SELECT COUNT(`user_id`) FROM `users` WHERE `username` = '$username' AND `active` = 1"), 0) == 1) ? true : false; } function user_id_from_username($username) { $username = sanitize($username); return mysql_result(mysql_query("SELECT `user_id` FROM `users` WHERE `username` = '$username'"), 0, 'user_id'); } function user_id_from_email($email) { $email = sanitize($email); return mysql_result(mysql_query("SELECT `user_id` FROM `users` WHERE `email` = '$email'"), 0, 'user_id'); } function login($username, $password) { $user_id = user_id_from_username($username); $username = sanitize($username); $password = md5($password); return (mysql_result(mysql_query("SELECT COUNT(`user_id`) FROM `users` WHERE `username` = '$username' AND `password` = '$password'"), 0) == 1) ? $user_id : false; } ?>[/php]
and here’s my login.php:
[php]
<?php include 'func/init.php'; logged_in_redirect(); if (empty($_POST) === false) { $username = $_POST['username']; $password = $_POST['password']; if (empty($username) === true || empty($password) === true) { $errors[] = 'You need to enter a username and password'; } else if (user_exists($username) === false) { $errors[] = 'We can\'t find that username. Have you registered?'; } else if (user_active($username) === false) { $errors[] = 'You haven\'t activated your account!'; } else { if (strlen($password) > 200) { $errors[] = 'Password too long'; } $login = login($username, $password); if($login === false) { $errors[] = 'That username/password combination is incorrect'; } else { $_SESSION['user_id'] = $login; header('Location: index.php'); exit(); } } } else { $errors[] = 'No data received'; } include 'template/overall/header.php'; if (empty($errors) === false) { ?><link rel="stylesheet" href="css/style.css">
<h2>We tried to log you in, but...</h2>
<?php
echo output_errors($errors);
}
include 'template/overall/footer.php';
?>
[/php]
and changepassword.php:
[php]
<?php include 'func/init.php'; protect_page(); if (empty($_POST) === false) { $required_fields = array('current_password', 'password', 'password_again'); foreach($_POST as $key=>$value) { if (empty($value) && in_array($key, $required_fields) === true) { $errors[] = 'Fields marked with an asterisk are required'; break 1; } } if (md5($_POST['current_password']) === $user_data['password']) { if (trim($_POST['password']) !== trim($_POST['password_again'])) { $errors[] = 'Your new passwords do not match'; } else if(strlen($_POST['password']) < 6) { $errors[] = 'Your password must be at least 6 characters'; } } else { $errors[] = 'Your current password is incorrect'; } } include 'template/overall/header.php'; ?>Change Password
<?php if (isset($_GET['success']) === true && empty($_GET['success']) === true) { echo 'Your password has been changed.'; } else { if (isset($_GET['force']) === true && empty($_GET['force']) === true) { ?> <p>You must change your password</p>
<?php
}
if (empty($_POST) === false && empty($errors) === true) {
change_password($session_user_id, $_POST['password']);
header('Location: changepassword.php?success');
} else if (empty($errors) === false) {
echo output_errors($errors);
}
?>
<form action="" method="post">
<ul id="changepassword">
<li>
Current password*:<br>
<input type="password" name="current_password">
</li>
<li>
New password*:<br>
<input type="password" name="password">
</li>
<li>
New password again*:<br>
<input type="password" name="password_again">
</li>
<li>
<div class="submit">
<input type="submit" id="submit" name="submit" value="Change Password" />
</div> <!-- end .submit -->
</li>
</ul>
</form>
<?php
}
include 'template/overall/footer.php'; ?>
[/php]
and activate.php
[php]
<?php include 'func/init.php'; logged_in_redirect(); include 'template/overall/header.php'; if (isset($_GET['success']) === true && empty($_GET['success']) === true) { ?><link rel="stylesheet" href="css/style.css">
<h2>Thanks, we've activated your account...</h2>
<p>You're free to log in!</p>
<?php
} else if (isset($_GET['email'], $_GET['email_code']) === true) {
$email = trim($_GET['email']);
$email_code = trim($_GET['email_code']);
if (email_exists($email) === false) {
$errors[] = 'Oops, something went wrong, and we couldn\'t find that email address!';
} else if (activate($email, $email_code) === false) {
$errors[] = 'We had problems activating your account';
}
if (empty($errors) === false) {
?>
<h2>Oops...</h2>
<?php
echo output_errors($errors);
} else {
header('Location: activate.php?success');
exit();
}
} else {
header(‘Location: index.php’);
exit();
}
include ‘template/overall/footer.php’;
?>
[/php]
If you guys need anything else just tell me.
Does anyone know there the problem/problems are?
Thanks in advance//Busarna4