Untitled

<?php

$code = md5(uniqid());

if(!is_valid_request()
    # If the request validated, we can expect all these fields to exist
    # in $_POST, otherwise PHP would not reach this part of the condition:
|| !create_new_user($code, $_POST['username'], $_POST['email'], $_POST['pass'])
) {
    redirect('error_page.html'); # Redirect will exit.
}

# I removed the code to redirect to more specific error pages,
# you might rather start a session and create an error message
# to store in the session, and then print it on the error page,
# or do the checks first in javascript, and then if a user ignores
# them or disables JS, just fail with a generic
# "Your request could not be processed" page.

$message = "Your confirmation link \r\n";
$message.= "Click on this link to activate your account \r\n";
$message.= "MYWEBSITE.org/confirmation.php?passkey=$code";

print $message;

# =============================================================================
# Below are all functions used above:
# =============================================================================

# This is not reusable, it really just does the check for this page
# I put it into a function with a clear name so that it can be separate
# from the actual action that the page will take on success:
function is_valid_request() {
    $required = array('username', 'email', 'email2', 'pass', 'pass2');
    # The moment any one of these fails, PHP will stop checking and return false.
    return fields_are_present($required, $_POST)
        && ctype_alnum($_POST['username']) # Check for alphanumeric
        && $_POST['email'] === $_POST['email2'] # Check equals
        && $_POST['pass']  === $_POST['pass2'] # check equals
        && user_is_unique($_POST['username'], $_POST['email']);
}

# This is somewhat reusable, if we have another page to create a user on,
# it can be done there as well, as long as getPDOInstance is also present
# and working.
function create_new_user($code, $username, $email, $password) {
    $db = getPDOInstance();
    $sql = 'INSERT INTO temp (code, username, email, password) VALUES (?, ?, ?, ?)';
    $stmt = $db->prepare($sql);
    try {
        $stmt->execute(array($code, $username, $email, $pass));
    } catch(\PDOException $e) {
        error_log($e->getMessage()); # assuming your error log is set up
        return false;
    }
    return true;
}

# This is basic, but reusable:
function redirect($url) {
    header('Location: '. $url);
    exit('You are being redirected to: <a href="'.$url.'">'.$url.'</a>');
}

# Reusable, check of an array of keys (fields) are in another array:
function fields_are_present(array $fields, array $array) {
    foreach($fields as $field) {
        if(empty($array[$field])) {
            return false;
        }
    }
    return true;
}

# Does the username already exist? You'd be better off just trying to insert
# it and letting SQL give a non-unique error, but anyway, I'll just do the check
# I don't usually do checks like this but I think this would work
function user_is_unique($username, $email) {
    $db = getPDOInstance();
    $sql = 'SELECT id FROM users WHERE username = ? OR email = ? LIMIT 1'
    $stmt = $db->prepare($sql);
    $stmt->execute(array($username, email));
    $result = $db->fetchColumn();
    # We have a unique user if we got an empty result:
    return empty($result);
}

# Get a PDO instance based on made up parameters.
# Once an instance exists, it is 'static' and will only be created once,
# so every time you use this function, you will get the same connection
# that was created the first time.
function getPDOInstance() {
    static $instance;
    if(empty($instance)) {
        $config = include('config.php');
        $instance = new PDO($config['connection'], $config['user'], $config['pass']);
        $instance->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    }
    return $instance;
}