0

registration.php

<!<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Register</title>
</head>

<body>
    <fieldset>
        <legend>Registration</legend>

<form name="register" action="register.php" method="post">
    <table width="510" border="0">
        <tr>
            <td colspan="2"><p><strong>Registration Form</strong></p></td>
        </tr>
        <tr>
            <td>Username:</td>
            <td><input type="text" name="username" maxlength="20" /></td>
        </tr>
        <tr>
            <td>Password:</td>
            <td><input type="password" name="password" /></td>
        </tr>
        <tr>
            <td>Confirm Password:</td>
            <td><input type="password" name="password2" /></td>
        </tr>
        <tr>
            <td>Email:</td>
            <td><input type="text" name="email" id="email" /></td>
        </tr>
        <tr>
            <td><input type="hidden" name="formsubmitted" value="true"/> </td>
        </tr>
        <tr>
            <td>&nbsp;</td>

            <td><input type="submit" value="Register" /></td>
        </tr>
    </table>
</form>
<div>
if already registered then: 
<a href="login.html"> login</a>   </div>
</fieldset>

</body>

registration.php

<?php
 include("DBconnect.php");
 $username =$_POST[ 'username' ];
 $password=$_POST[ 'password' ];
 $con_pass=$_POST['password2'];
 $email =$_POST [ 'email' ] ;
 $status='verify';
 $r1='/[A-Z]/';  //Uppercase
 $r2='/[a-z]/';  //lowercase
 $r3='/[!@#$%^&*()\-_=+{};:,<.>]/';  // whatever you mean by 'special char'
 $r4='/[0-9]/';  //numbers


 if (isset($_POST['formsubmitted']))
 {

    //username validation
        if(empty($_POST['username'])) 
        { 
            die("Please enter a username."); 
        }
    $u="select count(*) as 'countuser' from users where username='"+$username+ "'";
    $result = mysql_query($u);
    while ($row = mysql_fetch_array($result))
        {
            $count= $row[countuser];
         if( $count>0) 
     {
          die("username already exist");
     }
         }





     //password validation
        if(empty($_POST['password'])) 
        { 
            die("Please enter a password."); 
        }
    else
     {
        if((preg_match_all($r1,$password, $o)<1) &(preg_match_all($r2,$password, $o)<1)&(preg_match_all($r3,$password, $o)<1)&(preg_match_all($r4,$password, $o)<1)&(strlen($password)<8))
        die("there should be atleast one Uppercaseletter,one lowercase letter,one special character,one digit &length should be greater than 8");

     }

    //password matching validation
    if($_POST['password']!=$_POST['password2'])
    {
         die("password do not match");                 
    }

    //email validation
        if(empty($_POST['email']))
    {
               die("Please Enter your Email");
        }
       if (!preg_match("/^([a-zA-Z0-9])+([a-zA-Z0-9\._-])*@([a-zA-Z0-9_-])+([a-zA-Z0-9\._-]+)+$/", $_POST['email']))
       {
               //regular expression for email validation
               //$Email = $_POST['email'];
            die( "Your Email Address is invalid ") ;
       }       
         $e="select count(*) as 'countemail' from users where email='"+$email+ "'";
         $r = mysql_query($e);
    while ($row = mysql_fetch_array($r))
        {

            $c=$row[countemail];
         if($c>0)
           {
        die("email already exist");
           }
    }



 }

 $salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647)); 
 $password = hash('sha256', $_POST['password'] . $salt); 
 for($round = 0; $round < 65536; $round++) 
 { 
    $password = hash('sha256', $password . $salt); 
 } 
 $activationKey =  mt_rand() . mt_rand() . mt_rand() . mt_rand() . mt_rand();

 $qry="insert into users (username,password,salt,email,activationkey,status) values ('$username','$password','$salt','$email','$activationKey','$status')";
 $register = mysql_query($qry);
 if (!$register)
 {
      echo "error 1";;
 }

echo "successful registration";
?>
<a href="login.html"> login</a>

login.html

<html>
<head>
<title>
 login
</title>    
</head>

<body>
<fieldset>
    <legend title=login>login</legend>
    <form action="login.php" method="post">

    Username:<br /> 
    <input type="text" name="username" value="" /> 
    <br /><br /> 
    Password:<br /> 
    <input type="password" name="password" value="" /> 
    <br /><br /> 
    <input type="submit" value="Login" />

</form>
</fieldset>
<a href="register.html">Register</a>
<a href="forgotpassword.php">Forgot Password</a>
</body>
</html>

***
login.php***

<?php 


    require("DBconnect.php"); 



    $username =$_POST[ 'username' ];
    $password=$_POST[ 'password' ];
    if(!empty($_POST)) 
    { 
        // This query retreives the user's information from the database using 
        // their username. 
        $query = " SELECT  id,username,password,salt,email FROM users WHERE username = '"+$username+ "'";
        $result = mysql_query($query);
        $row = mysql_fetch_array($result);

        if($row) 
        { 
            // Using the password submitted by the user and the salt stored in the database, 
            // we now check to see whether the passwords match by hashing the submitted password 
            // and comparing it to the hashed version already stored in the database. 
            $check_password = hash('sha256', $_POST['password'] . $row['salt']); 
            for($round = 0; $round < 65536; $round++) 
            { 
                $check_password = hash('sha256', $check_password . $row['salt']); 
            } 

            if($check_password == $row['password']) 
            { 
                // If they do, then we flip this to true 
                $login_ok = true; 
            } 
        } 

        // If the user logged in successfully, then we send them to the private members-only page 
        // Otherwise, we display a login failed message and show the login form again 
        if($login_ok) 
        { 
            // Here I am preparing to store the $row array into the $_SESSION by 
            // removing the salt and password values from it.  Although $_SESSION is 
            // stored on the server-side, there is no reason to store sensitive values 
            // in it unless you have to.  Thus, it is best practice to remove these 
            // sensitive values first. 
            unset($row['salt']); 
            unset($row['password']); 

            // This stores the user's data into the session at the index 'user'. 
            // We will check this index on the private members-only page to determine whether 
            // or not the user is logged in.  We can also use it to retrieve 
            // the user's details. 
            $_SESSION['user'] = $row; 

            // Redirect the user to the private members-only page. 
            header("Location: private.php"); 
            die("Redirecting to: private.php"); 
        } 
        else 
        { 
            // Tell the user they failed 
            print("Login Failed."); 

            // Show them their username again so all they have to do is enter a new 
            // password.  The use of htmlentities prevents XSS attacks.  You should 
            // always use htmlentities on user submitted values before displaying them 
            // to any users (including the user that submitted them).  For more information: 
            // http://en.wikipedia.org/wiki/XSS_attack 
            $username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8'); 
        } 
    } 

?> 

private.php

<?php 

    // First we execute our common code to connection to the database and start the session 
    require("DBconnect.php"); 

    // At the top of the page we check to see whether the user is logged in or not 
    if(empty($_SESSION['user'])) 
    { 
        // If they are not, we redirect them to the login page. 
        header("Location: login.php"); 

        // Remember that this die statement is absolutely critical.  Without it, 
        // people can view your members-only content without logging in. 
        die("Redirecting to login.php"); 
    } 

    // Everything below this point in the file is secured by the login system 

    // We can display the user's username to them by reading it from the session array.  Remember that because 
    // a username is user submitted content we must use htmlentities on it before displaying it to the user. 
?> 
Hello <?php echo htmlentities($_SESSION['user']['username'], ENT_QUOTES, 'UTF-8'); ?>, secret content!<br /> 
<a href="memberlist.php">Memberlist</a><br /> 
<a href="edit_account.php">Edit Account</a><br /> 
<a href="logout.php">Logout</a>

please tell me the suggesstions gor the errors

3
Contributors
3
Replies
16
Views
4 Years
Discussion Span
Last Post by broj1
1

The first two scripts have the same filename. Is that a typo?

One suggestion:

In the registration processing script you check for the validity and existence of username, password and email. If any of these data doesn't exist or is invalid you stop the script using die() displaying some message. Better user experience would be redirecting the user back to registration form, filling-in the existing data and highlighting the field with the error. This way user can correct the missing or incorrect input and carry on with the registration with minimum effort.

Edited by broj1

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.