Registration code for a forum

Bonesnap

Hello,

I'm redoing an old project of mine where I created a forum from scratch. I recently finished coding the registration page for the forum, and I was wondering if someone can give some tips or advice on it. I'm trying to learn best practices since I'm basically a self-taught PHP coder (I studied .NET in college).

Also note all the input fields are checked via JavaScript before being submitted to the server.

Here's the code:

<?php
include("functions.php");
$message = '';
if(isset($_REQUEST['submit']))
{
	if(strlen(trim($_REQUEST['name'])) < 4 || strlen(trim($_REQUEST['name'])) > 20)
		$message = 'Your user name must be between 4 and 20 characters long.<br />';
	if(strlen(trim($_REQUEST['pass1'])) < 6)
		$message .= 'Your password must be at least 6 characters long.<br />';
	if($_REQUEST['pass1'] != $_REQUEST['pass2'])
		$message .= 'Your passwords do not match.';
	if(preg_match('/^([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?)$/', $_REQUEST['email1']) < 1)
		$message .= 'Please enter a valid email address. This email is private and only available to staff. If you choose, you may make it public in the privacy settings.<br />';
	if($_REQUEST['email1'] != $_REQUEST['email2'])
		$message .= 'Your emails do not match.';
	if(strlen(trim($message)) == 0)//All input has been validated
	{
		if(CheckValidUser($_REQUEST['name']))//User name is not in use and not on the reserved list
		{
			$conn = Connect("R");
			$query = "INSERT INTO users (perm_id, user_name, user_pass, user_postcount, user_register, user_title, user_ip, user_online)";
			$query .= " VALUES(2, '".addslashes($_REQUEST['name'])."', '".sha1(md5($_REQUEST['pass1']))."', 0, NOW(), 'Member', '".$_SERVER['REMOTE_ADDR']."', 0)";
			$result = mysql_query($query, $conn);
			if(!$result)//There was an error inserting the user into the database, so close the connection and display the error message
			{
				mysql_close($conn);
				$message = 'There was an error with the registration. Please try again later.';
			}
			else//Insertion of the user was successful, so now insert the user's info into the dependent tables
			{
				$id = mysql_insert_id($conn);
				mysql_query("INSERT INTO avatars VALUES(NULL, ".$id.", NULL, NULL, NULL)", $conn);
				mysql_query("INSERT INTO details VALUES(NULL, ".$id.", 4, '".addslashes($_REQUEST['email1'])."', NULL, NULL, NULL, NULL)", $conn);
				mysql_query("INSERT INTO display_settings VALUES(NULL, ".$id.", 50, 50, 50, 1)", $conn);
				mysql_query("INSERT INTO privacy_settings VALUES(NULL, ".$id.", 1, 1, 0, 0)", $conn);
				mysql_query("INSERT INTO profiles VALUES(NULL, ".$id.", NULL, NULL)", $conn);
				mysql_query("INSERT INTO settings VALUES(NULL, ".$id.", 1, 1, 0, 0)", $conn);
				mysql_close($conn);
				UpdateIPHistory($id, $_SERVER['REMOTE_ADDR'], "R");
			}
		}
		else
			$message = 'That user name is not available.';
	}
}
?>

If you have any questions please ask. Thanks in advance! 🙂

bradgrafelman

I haven't had time to really go through all of the code and critique it yet, but one thing I do see that annoys me quite often is this:

 if(preg_match('/^([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?)$/', $_REQUEST['email1']) < 1) 
        $message .= 'Please enter a valid email address. This email is private and only available to staff. If you choose, you may make it public in the privacy settings.<br />';

That regexp pattern will reject perfectly valid e-mail addresses, such as:

brad+grafelman@example.com

A better solution might be to use something like [man]filter_var/man with the FILTER_VALIDATE_EMAIL filter.

Bonesnap

Thanks for the reply. 🙂

I don't quite remember where I got that regular expression from (I admit I didn't write it myself). But how often do you see emails with + symbols in them? The regular expression I am using will satisfy the majority of people (I just added + to it and now an email like brad+grafelman@example.com validates). The filter_var() function sounds interesting, but I have some questions about it:

1) How does it work? I read its page on php.net but I cannot seem to find exactly how it works. How does it validate/filter the string? I assume by a regular expression, but if that was the case then I could just use the regular expression it uses and plug that into my if statement. Also, I read the comments on its page and apparently it will validate a string such as "yourname" as a valid email address, because the '@' is assumed. I would need to incorporate additional validation to use it.

2) Is there a JavaScript equivalent? The validation done on the server-side is identical to the validation done on the client-side, and I'd like to keep them both the same.

I did some looking and I came across the RFC 2822 email standard. Now I am trying to implement a condensed version of it but I am having trouble getting JavaScript to recognize it due to all the characters. This is the new expression I am trying to use:

[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?

Thanks so much for looking at my code, and I look forward to more critiquing. 🙂

laserlight

Bonesnap wrote:
2) Is there a JavaScript equivalent? The validation done on the server-side is identical to the validation done on the client-side, and I'd like to keep them both the same.

One way to do this is to make use of AJAX where the client gets the server to do the checking, even before the form is submitted.

Bonesnap

laserlight;10966672 wrote:
One way to do this is to make use of AJAX where the client gets the server to do the checking, even before the form is submitted.

Ah, thank you, I hadn't thought of that even though I am currently using AJAX on the registration page to check if the user name is taken or on a reserved list haha.

I'd still like to know some more info on the filter_var() function, though.

NogDog

Bonesnap;10966661 wrote:
Thanks for the reply. 🙂

I don't quite remember where I got that regular expression from (I admit I didn't write it myself). But how often do you see emails with + symbols in them? The regular expression I am using will satisfy the majority of people (I just added + to it and now an email like brad+grafelman@example.com validates).

Well, do you want to turn any number of users away from your site simply because they have an unusual -- but not invalid -- email address? Presumably the user knows what his/her email address is, so by doing any sort of format validation, what is it you are trying to prevent? One possibility is fat-fingered typos, which can be limited to some extent by the ever popular "repeat email" field, and making sure both versions match. Of course, that still does not verify that is an existing email address, nor that it is that user's own email address; but then, neither does validating its format. Now you're looking at the typical sign-up validation email technique to activate a new account.

The filter_var() function sounds interesting, but I have some questions about it:

1) How does it work? I read its page on php.net but I cannot seem to find exactly how it works. How does it validate/filter the string? I assume by a regular expression, but if that was the case then I could just use the regular expression it uses and plug that into my if statement. Also, I read the comments on its page and apparently it will validate a string such as "yourname" as a valid email address, because the '@' is assumed. I would need to incorporate additional validation to use it.

2) Is there a JavaScript equivalent? The validation done on the server-side is identical to the validation done on the client-side, and I'd like to keep them both the same.

I did some looking and I came across the RFC 2822 email standard. Now I am trying to implement a condensed version of it but I am having trouble getting JavaScript to recognize it due to all the characters. This is the new expression I am trying to use:
[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?
Thanks so much for looking at my code, and I look forward to more critiquing. 🙂

If you really feel the need to validate the email format, the most thorough implementation I've seen based on the standard is this one..

bradgrafelman

Bonesnap wrote:
But how often do you see emails with + symbols in them?

Me personally? I see it on virtually every website I use my e-mail address.

For example, say my e-mail was example@gmail.com and I were registering here. I might use example+phpbuilder@gmail.com as my e-mail, since GMail allows you to add a "+(anything)" onto the end of your account name. It helps to filter your e-mail (and when I start getting spam, I'll have an idea of where they got my e-mail address :p).

Bonesnap

Thanks for the input, guys! I'm reevaluating my approach to the problem. Anything else you see that might be of concern?

bradgrafelman;10966703 wrote:
For example, say my e-mail was example@gmail.com and I were registering here. I might use example+phpbuilder@gmail.com as my e-mail, since GMail allows you to add a "+(anything)" onto the end of your account name. It helps to filter your e-mail (and when I start getting spam, I'll have an idea of where they got my e-mail address :p).

Mind = blown. I had no idea Gmail could do that! Now it's even more awesome than it was before! 🙂