submit.php

1. <?php
2. session_start();
3. if(!isset( $_POST['username'], $_POST['password'], $_POST['form_token']))
4. {
5. $message = 'Please enter a valid username and password';
6. }
7. /*** check the form token is valid ***/
8. elseif( $_POST['form_token'] != $_SESSION['form_token'])
9. {
10. $message = 'Invalid form submission';
11. }
12. /*** check the username is the correct length ***/
13. elseif (strlen( $_POST['username']) > 20 || strlen($_POST['username']) < 4)
14. {
15. $message = 'Incorrect Length for Username';
16. }
17. /*** check the password is the correct length ***/
18. elseif (strlen( $_POST['password']) > 20 || strlen($_POST['password']) < 4)
19. {
20. $message = 'Incorrect Length for Password';
21. }
22. /*** check the username has only alpha numeric characters ***/
23. elseif (ctype_alnum($_POST['username']) != true)
24. {
25. /*** if there is no match ***/
26. $message = "Username must be alpha numeric";
27. }
28. /*** check the password has only alpha numeric characters ***/
29. elseif (ctype_alnum($_POST['password']) != true)
30. {
31. /*** if there is no match ***/
32. $message = "Password must be alpha numeric";
33. }
34. else
35. {
36. /*** if we are here the data is valid and we can insert it into database ***/
37. $username = filter_var($_POST['username'], FILTER_SANITIZE_STRING);
38. $password = filter_var($_POST['password'], FILTER_SANITIZE_STRING);
39. $email = filter_var($_POST['email'], FILTER_SANITIZE_STRING);
40. $address = filter_var($_POST['address'], FILTER_SANITIZE_STRING);
41. $phone = filter_var($_POST['phone'], FILTER_SANITIZE_STRING);
42. $picture = filter_var($_POST['picture'], FILTER_SANITIZE_STRING);
43.  
44. /*** now we can encrypt the password ***/
45. $password = sha1( $password );
46.  
47. /*** connect to database ***/
48. /*** mysql hostname ***/
49. $mysql_hostname = 'localhost';
50.  
51. /*** mysql username ***/
52. $mysql_username = 'root';
53.  
54. /*** mysql password ***/
55. $mysql_password = 'mypassword-db';
56.  
57. /*** database name ***/
58. $mysql_dbname = 'mydatabase';
59.  
60. try
61. {
62. $dbh = new PDO("mysql:host=$mysql_hostname;dbname=$mysql_dbname", $mysql_username, $mysql_password);
63. /*** $message = a message saying we have connected ***/
64.  
65. /*** set the error mode to excptions ***/
66. $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
67.  
68. /*** prepare the insert ***/
69. $stmt = $dbh->prepare("INSERT INTO users (username, password, email, address, phone, picture ) VALUES (:username, :password, :email, :address, :phone, :picture )");
70.  
71. /*** bind the parameters ***/
72. $stmt->bindParam(':username', $username, PDO::PARAM_STR);
73. $stmt->bindParam(':password', $password, PDO::PARAM_STR, 40);
74. $stmt->bindParam(':email', $email, PDO::PARAM_STR);
75. $stmt->bindParam(':address', $address, PDO::PARAM_STR);
76. $stmt->bindParam(':phone', $phone, PDO::PARAM_STR);
77. $stmt->bindParam(':picture', $picture, PDO::PARAM_STR);
78. /*** execute the prepared statement ***/
79. $stmt->execute();
80.  
81. /*** unset the form token session variable ***/
82. unset( $_SESSION['form_token'] );
83.  
84. /*** if all is done, say thanks ***/
85. $message = 'New user added';
86. }
87. catch(Exception $e)
88. {
89. /*** check if the username already exists ***/
90. if( $e->getCode() == 23000)
91. {
92. $message = 'Username already exists';
93. }
94. else
95. {
96. /*** if we are here, something has gone wrong with the database ***/
97. $message = 'We are unable to process your request. Please try again later"';
98. }
99. }
100. }
101. ?>
102.  
103. <html>
104. <head>
105. <title>Test Add User</title>
106. </head>
107. <body>
108. <p><?php echo $message; ?>
109. <?php header( "refresh:3;url=admin.php" ); ?>
110. </body>
111. </html>