Here is the relevant part from a register.php page I am tweaking continually, this is version 1, it has gotten more complicated since then (basically more fields and checks), but here's the guts for you, I happened to have it in the editor when I saw this post:
//If the user has posted a username, email and password lets check it out
if ($_POST['username'] && $_POST['password'] && $_POST['email']) {
$username = cleanstring($_POST['username']);
//Force lowercase so that we may be case-insensitive
$username = strtolower($username);
$password = cleanstring($_POST['password']);
$pass_valid = cleanstring($_POST['password_verify']);
$email = cleanstring($_POST['email']);
//If the two passwords do not match - set $verify to false and do nothing else.
if ($password != $pass_valid || strlen($password)<=$pass_min) {
$verify = false;
} elseif (!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$",$email)) { //if the email is not in the format something@something.com - $bademail = true and do not register.
$bademail = true;
} else {
//If both passwords match and the email is in a decent form - lets begin registration.
//First we get a validation code.
srand(time());
$random = (rand());
//Encrypt the password
$password = pwencrypt($password,$username);
//Let's make sure nobody else has this username
$check = "SELECT * FROM user_tbl WHERE username = '".$username."';";
$results = mysql_query($check);
if(mysql_num_rows($results)) {
//Username existed. Set $exists = true and don't register.
$exists = true;
} else {
//Everything to this point looks good. We insert the users information into
//user_tbl - we then query that table to get the autonumber customer id. This id
//is entered into the URL that is emailed to the user to validate his account.
$newuser = "INSERT INTO `user_tbl` (`username`,`password`,`email`,`groupid`,`validated`) VALUES ('".$username."','".$password."','".$email."',3,'".$random."');";
$newexec = mysql_query($newuser);
$newuser = "SELECT * FROM user_tbl WHERE username = '".$username."' AND password = '".$password."';";
$newexec = mysql_query($newuser);
if (mysql_num_rows($newexec)) {
//Everything is good.. lets prepare the message to send to the user.
$newres = mysql_fetch_assoc($newexec);
$subject = "Test.";
$message = "Welcome to the LMS system. Please follow the following link to validate.\n\n
<a href=\"".$http."index.php?u=".$newres['user_id']."&v=".$random."\">Validate Here</a>";
//Send the email.
smtpmail($from, $email, $subject, $message);
//I set $registered = true; do not use it now but could be used to display a "Thank you for
//Registering page or similar.
$registered = true;
} else {
//This should never happen.
die ("Scripting Error");
}
}
}
}
Here is the index.php, if the $_GET variable 'v' is set, they are validating:
<?php
//This variable is simply for when a user validates. The first check on the page is whether they came to a URL with
//the variables v and u in the URL.
$validated = false;
if ($_GET['u'] && $_GET['v']) {
//If the user is trying to validated.. lets clean it up and check it out.
$u = cleanstring($_GET['u']);
$v = cleanstring($_GET['v']);
$user_qry = "SELECT * FROM user_tbl WHERE user_id = '".$u."'";
//Lets get the user id
$user_exec = mysql_query($user_qry);
if (mysql_num_rows($user_exec)) {
//Hey.. the user exists! Lets check the validation code.
$r = mysql_fetch_array($user_exec);
if ($v == $r['validated']) {
//Looks good.. lets set validated = 'YES' and $validated = true.
$user_qry = "UPDATE user_tbl SET validated = 'YES' WHERE user_id = '".$u."';";
$user_exec = mysql_query($user_qry);
$validated = true;
}
}
}
//First we want to check if this is a validation request. If not we then display seperate HTML for whether or not
//the user is logdin. This is made easy by the Checkauth include above, $logdin is either true or false, respectively.
if ($validated) {
?>
Thank you for validating your account. You may now login <a href="index.php">here</a>.
As far as the invalid, I wipe out the "NO" validations in the database once a week.
