Currently, I am working on small (to start off) CMS (which I renamed to a Comprehensive Info. Vault (CIV)). The first thing I decided to start me off with was the User authentication. To get the best knowledge of how it works, I went on a search for a pre-built script. Turns out, I had one on my hard-disk drive already. I set it up, cleaned up the code, and added some comments, then tried out the code. First page I try is the "register.php" page which is as follows:
<?php
// Include database information
include 'db.php';
// Define post fields into simple variables
$first_name = $_POST['first_name'];
$last_name = $_POST['last_name'];
$email_address = $_POST['email_address'];
$username = $_POST['username'];
$info = $_POST['info'];
// Let's strip some slashes in case the user entered any escaped characters
$first_name = stripslashes($first_name);
$last_name = stripslashes($last_name);
$email_address = stripslashes($email_address);
$username = stripslashes($username);
$info = stripslashes($info);
// Do some error checking on the form posted fields
if((!$first_name) || (!$last_name) || (!$email_address) || (!$username)){
echo 'Required information was left out.<br />';
if(!$first_name){
echo "First name IS required.<br />";
}
if(!$last_name){
echo "Last Name IS required.<br />";
}
if(!$email_address){
echo "Email Address IS required.<br />";
}
if(!$username){
echo "Desired Username IS required.<br />";
}
include 'join_form.html';
// End the error checking and if everything is ok, we'll move on to creating the user account
exit();
}
// Let's do some checking and ensure that the user's email address or username does not exist in the database
$sql_email_check = mysql_query("SELECT email_address FROM users WHERE email_address='$email_address'");
$sql_username_check = mysql_query("SELECT username FROM users WHERE username='$username'");
$email_check = mysql_num_rows($sql_email_check);
$username_check = mysql_num_rows($sql_username_check);
if(($email_check > 0) || ($username_check > 0)){
echo "Errors have occured. Please fix them:<br />";
if($email_check > 0){
echo "<strong>HIGH SECURITY WARNING: THIS E-MAIL ADDRESS ALREADY EXISTS IN THE DATABASE. To ensure this is you that is using this e-mail account, visit the lost password section of the site, and request a new password be e-mailed to you A.S.A.P. For further security information, visit our Security procedures area.<br />";
unset($email_address);
}
if($username_check > 0){
echo "Doesn't it suck when someone steals your name? Please enter a differant one, or visit the NickName Generator.<br />";
unset($username);
}
include 'join_form.html';
exit();
}
// Everything has passed both error checks that we have done. It's time to create the account
// Random Password generator
function makeRandomPassword() {
$salt = "abchefghjkmnpqrstuvwxyz0123456789";
srand((double)microtime()*1000000);
$i = 0;
while ($i <= 7) {
$num = rand() % 33;
$tmp = substr($salt, $num, 1);
$pass = $pass . $tmp;
$i++;
}
return $pass;
}
$random_password = makeRandomPassword();
$db_password = md5($random_password);
// Enter info into the Database
$info2 = htmlspecialchars($info);
$sql = mysql_query("INSERT INTO users (first_name, last_name, email_address, username, password, info, signup_date)
VALUES('$first_name', '$last_name', '$email_address', '$username', '$db_password', '$info2', now())") or die (mysql_error());
if(!$sql){
echo 'An error has occured while trying to create this account. Please try one more time. If this fails, please redirect to the Support area.';
} else {
$userid = mysql_insert_id();
// Let's mail the user!
$subject = "Your new credentials";
$message = "Dear $first_name $last_name,
Thank you for taking an interest in nCryptCIV. To activate your membership, please click on the following link: [url]http://www.ncryptciv.ca/activate.php?id=[/url]$userid&code=$db_password Once you activate your memebership, you will be able to login with the following information:
Username: $username
Password: $random_password
Sinceraly,
- nCrypt Architect
Please donot reply to this e-mail.";
mail($email_address, $subject, $message, "From: nCryptCIV.ca<register@ncryptciv.ca>\nX-Mailer: PHP/" . phpversion());
echo 'Your account was created successfully. Please check your mailbox for further account activation instructions. Thank you for you interst in nCryptCIV.ca';
}
?>
When I hit 'Submit' to submit my info into the MySQL DB, I get the error "Connection to the database name has failed.".
Here is the "db.php" script:
<?php
// Database Connection Information
$dbhost = 'localhost';
$dbusername = 'admin';
$dbpasswd = '';
$database_name = 'users';
// Donot mod below this comment
$connection = mysql_pconnect("$dbhost","$dbusername","$dbpasswd")
or die
("Connection to the database server has failed.");
$db = mysql_select_db("$database_name", $connection)
or die
("Connection to the database name has failed.");
?>
I went ahead and made the a folder called "users" in the mysql/data/ folder but the error persists. I added a database manually called "users" & failed, then renamed it to "database" and failed again.
I've only been studying the PHP language for a couple months now and this is the only script Ive dealt with that had an error this confusing (to me).
Other files that are used in this script are:
activate.php
checkuser.php
login.php
login_success.php
logoff.php
lostpw.php
verify.php
database.sql
join_form.html
login_form.html
lost_pw.html
For some reason (unless it needs to be), verify.php & login.php are empty files. Should this be?
Anyway, I have loads of questions about this script but before I ask about those, I think this needs to be resolved first. If you can please help out I would appreciate that very much. If you need to see the other files coding, ask and I will post its content.
Thanks very much.
