<?phpinclude_once 'db_connect.php';include_once 'psl-config.php'; $error

1. <?php
2. include_once 'db_connect.php';
3. include_once 'psl-config.php';
4.  
5. $error_msg = "";
6.  
7. if (isset($_POST['username'], $_POST['email'], $_POST['p'])) {
8.     // Sanitize and validate the data passed in
9.     $username = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_STRING);
10.     $email = filter_input(INPUT_POST, 'email', FILTER_SANITIZE_EMAIL);
11.     $email = filter_var($email, FILTER_VALIDATE_EMAIL);
12.     if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
13.         // Not a valid email
14.         $error_msg .= '<p class="error">The email address you entered is not valid</p>';
15.     }
16.  
17.     $password = filter_input(INPUT_POST, 'p', FILTER_SANITIZE_STRING);
18.     if (strlen($password) != 128) {
19.         // The hashed pwd should be 128 characters long.
20.         // If it's not, something really odd has happened
21.         $error_msg .= '<p class="error">Invalid password configuration.</p>';
22.     }
23.  
24.     // Username validity and password validity have been checked client side.
25.     // This should should be adequate as nobody gains any advantage from
26.     // breaking these rules.
27.     //
28.  
29.     $prep_stmt = "SELECT id FROM members WHERE email = ? LIMIT 1";
30.     $stmt = $mysqli->prepare($prep_stmt);
31.  
32.    // check existing email  
33.     if ($stmt) {
34.         $stmt->bind_param('s', $email);
35.         $stmt->execute();
36.         $stmt->store_result();
37.  
38.         if ($stmt->num_rows == 1) {
39.             // A user with this email address already exists
40.             $error_msg .= '<p class="error">A user with this email address already exists.</p>';
41.         }
42.     } else {
43.         $error_msg .= '<p class="error">Database error for EMAIL</p>';
44.     }
45.  
46.     // check existing username
47.     $prep_stmt = "SELECT id FROM members WHERE username = ? LIMIT 1";
48.     $stmt = $members_mysqli->prepare($prep_stmt);
49.     if ($stmt) {
50.         $stmt->bind_param('s', $username);
51.         $stmt->execute();
52.         $stmt->store_result();
53.  
54.     if ($stmt->num_rows == 1) {
55.             // A user with this username already exists
56.             $error_msg .= '<p class="error">A user with this username already exists</p>';
57.     } else {
58.         $error_msg .= '<p class="error">Database error for USERNAME</p>';
59.     }
60.  
61.     // TODO:
62.     // We'll also have to account for the situation where the user doesn't have
63.     // rights to do registration, by checking what type of user is attempting to
64.     // perform the operation.
65.  
66.     if (empty($error_msg)) {
67.         // Create a random salt
68.         $random_salt = hash('sha512', uniqid(openssl_random_pseudo_bytes(16), TRUE));
69.  
70.         // Create salted password
71.         $password = hash('sha512', $password . $random_salt);
72.  
73.         // Insert the new user into the database
74.         if ($insert_stmt = $mysqli->prepare("INSERT INTO members (username, email, password, salt) VALUES (?, ?, ?, ?)")) {
75.             $insert_stmt->bind_param('ssss', $username, $email, $password, $random_salt);
76.             // Execute the prepared query.
77.             if (! $insert_stmt->execute()) {
78.                 header('Location: ../error.php?err=Registration failure: INSERT');
79.             }
80.         }
81.         header('Location: ./register_success.php');
82.     }
83. }
84. }