/
register.php
213 lines (172 loc) · 9.04 KB
/
register.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
<?php
// TODO: learn this method of error handling - EDIT: it's lame, actually.
// TODO: Require email from specific domain as an option, and confirm emails before allowing login
// TODO: Add OAuth signins
// TODO: Add password confirmation input
// TODO: grey-out sign up button until input is validated and display issues in real time
// TODO: Add to verification database BEFORE user database, and user only if verification db succeds. Possibly only get password after verification anyway?
// TODO: Hide form after a successful registration;
ob_start();
session_start();
if( isset($_SESSION['user'])!="" ){
header("Location: ".$appHome);
}
include_once 'scripts/appsettings.php';
$pageTitle = "Register";
include_once 'scripts/siteheader.php';
$error = false;
if ( isset($_POST['btn-signup']) ) {
// clean user inputs to prevent sql injections
$firstName = htmlspecialchars(strip_tags(trim($_POST['firstName'])));
$lastName = htmlspecialchars(strip_tags(trim($_POST['lastName'])));
$email = htmlspecialchars(strip_tags(trim($_POST['email'])));
$pass = htmlspecialchars(strip_tags(trim($_POST['pass'])));
// basic name validation
if (empty($firstName)) {
$error = true;
$firstNameError = "Please enter your first name.";
} else if (strlen($firstName) < 3) {
$error = true;
$firstNameError = "Most first names are a bit longer than that.";
} else if (!preg_match("/^[a-zA-Z]+$/",$firstName)) {
$error = true;
$firstNameError = "Invalid first name. Alphabetic characters only.";
}
// basic last name validation
if (empty($lastName)) {
$error = true;
$lastNameError = "Please enter your last name.";
} else if (strlen($lastName) < 3) {
$error = true;
$lastNameError = "Most last names are a bit longer than that.";
} else if (!preg_match("/^[a-zA-Z]+$/",$lastName)) {
$error = true;
$lastNameError = "Invalid last name. Alphabetic characters only.";
}
//basic email validation
if ( !filter_var($email,FILTER_VALIDATE_EMAIL) ) {
$error = true;
$emailError = "Please enter your valid email address.";
} else {
// check email exist or not
$query = "SELECT userEmail FROM users WHERE userEmail='$email'";
$result = mysqli_query($conn, $query);
$count = mysqli_num_rows($result);
if($count!=0){
$error = true;
$emailError = "There's already an account with that email. (<a href=\"login.php\">log in</a> or <a href=\"reset.php\">reset password</a>)"; //@TODO pass email, if it's set, to the reset page.
}
}
// password validation
if (empty($pass)){
$error = true;
$passError = "Please enter password.";
} else if(strlen($pass) < 6) {
$error = true;
$passError = "Password must have at least 6 characters.";
}
// encrypt password using SHA256();
$password = hash('sha256', $pass);
// If there's no error, add the new user to the database, store a hash, and send them a confirmation email.
if( !$error ) {
$query = "INSERT INTO users(firstName, lastName, userEmail, userPass) VALUES('$firstName','$lastName','$email','$password')";
$res = mysqli_query($conn, $query);
if ($res) {
$token = bin2hex(random_bytes(64));
$vtype = 0; // 0 = new user
$timestamp = time();
$query = "INSERT INTO verification_table(token, email, vtype, tstamp) VALUES('$token', '$email', '$vtype', '$timestamp')";
$res = mysqli_query($conn, $query);
if ($res) {
$fromEmail = "no-reply";
$confirmURI = 'https://'.$_SERVER['HTTP_HOST'].'/'.basename(__DIR__).'/verify.php?m='.$vtype.'&t='.$token;
$subject = "Confirm Your ".$appName." Account";
$msg = '<html>Hello '.$firstName.',<br><br>
Welcome to '.$appName.'!<br><br>To confirm your account, please click <a href="'.$confirmURI.'"/>here,</a> or copy the following URL into your browser:<br><br>
'.$confirmURI.'<br><br>
If you\'re not '.$firstName.', please disregard this message.<br><br>Thanks,<br><br>- The '.$appName.' Team</html>';
$res = mail($email, $subject, $msg, $headers .= 'From: '.$appName." <".$fromEmail."@".$_SERVER['SERVER_NAME'].">\r\n".'Content-type: text/html; charset=iso-8859-1');
unset($_SESSION['vAction']); // Mostly helps testers - if your vAction was set, clicking a verification link could accidentally send a new verification link for a different account...
if ($res) {
$errTyp = "success";
$errMSG = "Account created successfully. A confirmation email has been sent to you at your newly registered address.<br><i>(If you don't receive it, check your spam folder, or add ".$fromEmail."@".$_SERVER['SERVER_NAME']." to your address book and try again.)</i>";
} else {
$errTyp = "danger";
$errMSG = "Account created successfully. Confirmation email could not be sent, you will not be able to log in.\nPlease contact the system administrator.";
}
unset($firstName);
unset($lastName);
unset($email);
unset($pass);
} else {
$errTyp = "danger";
$errMSG = "Something went wrong, in a bad way. You should still be able to log in, but you're not verified, and that's bad...<br>".mysqli_error($res);
}
} else {
$errTyp = "danger";
$errMSG = "Something went wrong, try again later... (SQL Failure)";
}
}
}
?>
<div class="container">
<div id="login-form">
<form method="post" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']); ?>" autocomplete="off">
<div class="col-md-12">
<div class="form-group">
<h2 class="">Sign Up.</h2>
</div>
<div class="form-group">
<hr />
</div>
<?php
if ( isset($errMSG) ) {
?>
<div class="form-group">
<div class="alert alert-<?php echo ($errTyp=="success") ? "success" : $errTyp; ?>">
<span class="glyphicon glyphicon-info-sign"></span> <?php echo $errMSG; ?>
</div>
</div>
<?php
}
?>
<div class="form-group">
<div class="input-group">
<span class="input-group-addon"><span class="glyphicon glyphicon-user"></span></span>
<?php // BUG TODO fix - top input isn't rounded. Top and bottom corners should be, not middle ?>
<input type="text" name="firstName" class="form-control" placeholder="Enter First Name" maxlength="50" value="<?php echo $firstName ?>" />
<input type="text" name="lastName" class="form-control" placeholder="Enter Last Name" maxlength="50" value="<?php echo $lastName ?>" />
</div>
<span class="text-danger"><?php echo $firstNameError; echo $lastNameError; ?></span>
</div>
<div class="form-group">
<div class="input-group">
<span class="input-group-addon"><span class="glyphicon glyphicon-envelope"></span></span>
<input type="email" name="email" class="form-control" placeholder="Enter Your Email" maxlength="40" value="<?php echo $email ?>" />
</div>
<span class="text-danger"><?php echo $emailError; ?></span>
</div>
<div class="form-group">
<div class="input-group">
<span class="input-group-addon"><span class="glyphicon glyphicon-lock"></span></span>
<input type="password" name="pass" class="form-control" placeholder="Enter Password" maxlength="15" />
</div>
<span class="text-danger"><?php echo $passError; ?></span>
</div>
<div class="form-group">
<hr />
</div>
<div class="form-group">
<button type="submit" class="btn btn-block btn-primary" name="btn-signup">Sign Up</button>
</div>
<div class="form-group">
<hr />
</div>
<div class="form-group">
<a href="login.php">Sign in Here...</a>
</div>
</div>
</form>
</div>
</div>
<?php include 'scripts/appfooter.php';