API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Sep 30th, 2016
105
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 20.50 KB | None | 0 0
raw download clone embed print report
  1. // check length of $_POST['username']
  2. if (strlen($_POST['username']) <3){
  3. echo('
  4. <div class="container">
  5. <div class="flag note note--error">
  6. <div class="flag__image note__icon">
  7. <i class="fa fa-times"></i>
  8. </div>
  9. <div class="flag__body note__text">
  10. Something went wrong!<br />
  11. The username is too short (requier atleast 3 characters).
  12. </div>
  13. <a href="#" class="note__close">
  14. <i class="fa fa-times"></i>
  15. </a>
  16. </div>
  17. </div>
  18. ');
  19. include $_SERVER["DOCUMENT_ROOT"] . "/assets/php/signup-save.php";
  20. die();
  21. }
  22.  
  23. // check length of $_POST['password']
  24. if (strlen($_POST['password']) <5){
  25. echo('
  26. <div class="container">
  27. <div class="flag note note--error">
  28. <div class="flag__image note__icon">
  29. <i class="fa fa-times"></i>
  30. </div>
  31. <div class="flag__body note__text">
  32. Something went wrong!<br />
  33. Your password is too short (requier atleast 5 characters)!
  34. </div>
  35. <a href="#" class="note__close">
  36. <i class="fa fa-times"></i>
  37. </a>
  38. </div>
  39. </div>
  40. ');
  41. include $_SERVER["DOCUMENT_ROOT"] . "/assets/php/signup-save.php";
  42. die();
  43. }
  44. // Ensure that the user has entered a non-empty username
  45. if(empty($_POST['username']))
  46. {
  47. // Note that die() is generally a terrible way of handling user errors
  48. // like this. It is much better to display the error with the form
  49. // and allow the user to correct their mistake. However, that is an
  50. // exercise for you to implement yourself. ;
  51. echo('
  52. <div class="container">
  53. <div class="flag note note--error">
  54. <div class="flag__image note__icon">
  55. <i class="fa fa-times"></i>
  56. </div>
  57. <div class="flag__body note__text">
  58. Something went wrong!<br />
  59. Please enter a username.
  60. </div>
  61. <a href="#" class="note__close">
  62. <i class="fa fa-times"></i>
  63. </a>
  64. </div>
  65. </div>
  66. ');
  67. include $_SERVER["DOCUMENT_ROOT"] . "/assets/php/signup-save.php";
  68. die();
  69. }
  70.  
  71. // Ensure that the user has entered a non-empty password
  72. if(empty($_POST['password']))
  73. {
  74. echo('
  75. <div class="container">
  76. <div class="flag note note--error">
  77. <div class="flag__image note__icon">
  78. <i class="fa fa-times"></i>
  79. </div>
  80. <div class="flag__body note__text">
  81. Something went wrong!<br />
  82. Password cant be empty.
  83. </div>
  84. <a href="#" class="note__close">
  85. <i class="fa fa-times"></i>
  86. </a>
  87. </div>
  88. </div>
  89. ');
  90. include $_SERVER["DOCUMENT_ROOT"] . "/assets/php/signup-save.php";
  91. die();
  92. }
  93.  
  94. // Make sure the user entered a valid E-Mail address
  95. // filter_var is a useful PHP function for validating form input, see:
  96. // http://us.php.net/manual/en/function.filter-var.php
  97. // http://us.php.net/manual/en/filter.filters.php
  98. if(!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL))
  99. {
  100. echo('
  101. <div class="container">
  102. <div class="flag note note--error">
  103. <div class="flag__image note__icon">
  104. <i class="fa fa-times"></i>
  105. </div>
  106. <div class="flag__body note__text">
  107. Something went wrong!<br />
  108. Please enter a valid E-mail address.
  109. </div>
  110. <a href="#" class="note__close">
  111. <i class="fa fa-times"></i>
  112. </a>
  113. </div>
  114. </div>
  115. ');
  116. include $_SERVER["DOCUMENT_ROOT"] . "/assets/php/signup-save.php";
  117. die();
  118. }
  119.  
  120. // We will use this SQL query to see whether the username entered by the
  121. // user is already in use. A SELECT query is used to retrieve data from the database.
  122. // :username is a special token, we will substitute a real value in its place when
  123. // we execute the query.
  124. $query = "
  125. SELECT
  126. 1
  127. FROM users
  128. WHERE
  129. username = :username
  130. ";
  131.  
  132. // This contains the definitions for any special tokens that we place in
  133. // our SQL query. In this case, we are defining a value for the token
  134. // :username. It is possible to insert $_POST['username'] directly into
  135. // your $query string; however doing so is very insecure and opens your
  136. // code up to SQL injection exploits. Using tokens prevents this.
  137. // For more information on SQL injections, see Wikipedia:
  138. // http://en.wikipedia.org/wiki/SQL_Injection
  139. $query_params = array(
  140. ':username' => $_POST['username']
  141. );
  142.  
  143. try
  144. {
  145. // These two statements run the query against your database table.
  146. $stmt = $db->prepare($query);
  147. $result = $stmt->execute($query_params);
  148. }
  149. catch(PDOException $ex)
  150. {
  151. // Note: On a production website, you should not output $ex->getMessage().
  152. // It may provide an attacker with helpful information about your code.
  153. echo('
  154. <div class="container">
  155. <div class="flag note note--error">
  156. <div class="flag__image note__icon">
  157. <i class="fa fa-times"></i>
  158. </div>
  159. <div class="flag__body note__text">
  160. Something went wrong!<br />
  161. We where not able to process your information.
  162. </div>
  163. <a href="#" class="note__close">
  164. <i class="fa fa-times"></i>
  165. </a>
  166. </div>
  167. </div>
  168. ' . $ex->getMessage());
  169. include $_SERVER["DOCUMENT_ROOT"] . "/assets/php/signup-save.php";
  170. die();
  171. }
  172.  
  173. // The fetch() method returns an array representing the "next" row from
  174. // the selected results, or false if there are no more rows to fetch.
  175. $row = $stmt->fetch();
  176.  
  177. // If a row was returned, then we know a matching username was found in
  178. // the database already and we should not allow the user to continue.
  179. if($row)
  180. {
  181. echo('
  182. <div class="container">
  183. <div class="flag note note--error">
  184. <div class="flag__image note__icon">
  185. <i class="fa fa-times"></i>
  186. </div>
  187. <div class="flag__body note__text">
  188. Something went wrong!<br />
  189. Username is already taken
  190. </div>
  191. <a href="#" class="note__close">
  192. <i class="fa fa-times"></i>
  193. </a>
  194. </div>
  195. </div>
  196. ');
  197. include $_SERVER["DOCUMENT_ROOT"] . "/assets/php/signup-save.php";
  198. die();
  199. }
  200.  
  201. // Now we perform the same type of check for the email address, in order
  202. // to ensure that it is unique.
  203. $query = "
  204. SELECT
  205. 1
  206. FROM users
  207. WHERE
  208. email = :email
  209. ";
  210.  
  211. $query_params = array(
  212. ':email' => $_POST['email']
  213. );
  214.  
  215. try
  216. {
  217. $stmt = $db->prepare($query);
  218. $result = $stmt->execute($query_params);
  219. }
  220. catch(PDOException $ex)
  221. {
  222. echo('
  223. <div class="container">
  224. <div class="flag note note--error">
  225. <div class="flag__image note__icon">
  226. <i class="fa fa-times"></i>
  227. </div>
  228. <div class="flag__body note__text">
  229. Something went wrong!<br />
  230. We where not able to process your information. Please try again.
  231. </div>
  232. <a href="#" class="note__close">
  233. <i class="fa fa-times"></i>
  234. </a>
  235. </div>
  236. </div>
  237. ' . $ex->getMessage());
  238. include $_SERVER["DOCUMENT_ROOT"] . "/assets/php/signup-save.php";
  239. die();
  240. }
  241.  
  242. $row = $stmt->fetch();
  243.  
  244. if($row)
  245. {
  246. echo('
  247. <div class="container">
  248. <div class="flag note note--error">
  249. <div class="flag__image note__icon">
  250. <i class="fa fa-times"></i>
  251. </div>
  252. <div class="flag__body note__text">
  253. Something went wrong!<br />
  254. E-mail address is already taken.
  255. </div>
  256. <a href="#" class="note__close">
  257. <i class="fa fa-times"></i>
  258. </a>
  259. </div>
  260. </div>
  261. ');
  262. include $_SERVER["DOCUMENT_ROOT"] . "/assets/php/signup-save.php";
  263. die();
  264. }
  265.  
  266. // An INSERT query is used to add new rows to a database table.
  267. // Again, we are using special tokens (technically called parameters) to
  268. // protect against SQL injection attacks.
  269. $query = "
  270. INSERT INTO users (
  271. username,
  272. password,
  273. email
  274. ) VALUES (
  275. :username,
  276. :password,
  277. :email
  278. )
  279. ";
  280.  
  281.  
  282. $password = password_hash($_POST['password']);
  283.  
  284. // Here we prepare our tokens for insertion into the SQL query. We do not
  285. // store the original password; only the hashed version of it. We do store
  286. // the salt (in its plaintext form; this is not a security risk).
  287. $query_params = array(
  288. ':username' => $_POST['username'],
  289. ':password' => $password,
  290. ':email' => $_POST['email']
  291. );
  292.  
  293. try
  294. {
  295. // Execute the query to create the user
  296. $stmt = $db->prepare($query);
  297. $result = $stmt->execute($query_params);
  298. }
  299. catch(PDOException $ex)
  300. {
  301. // Note: On a production website, you should not output $ex->getMessage().
  302. // It may provide an attacker with helpful information about your code.
  303. echo('
  304. <div class="container">
  305. <div class="flag note note--error">
  306. <div class="flag__image note__icon">
  307. <i class="fa fa-times"></i>
  308. </div>
  309. <div class="flag__body note__text">
  310. Something went wrong!<br />
  311. We where not able to process your information. Please try again
  312. </div>
  313. <a href="#" class="note__close">
  314. <i class="fa fa-times"></i>
  315. </a>
  316. </div>
  317. </div>
  318. ' . $ex->getMessage());
  319. include $_SERVER["DOCUMENT_ROOT"] . "/assets/php/signup-save.php";
  320. die();
  321. }
  322.  
  323. ob_clean();
  324. // This redirects the user back to the login page after they register
  325. echo'
  326. <div class="container">
  327. <div class="flag note note--info">
  328. <div class="flag__image note__icon">
  329. <i class="fa fa-info"></i>
  330. </div>
  331. <div class="flag__body note__text">
  332. <p>Successfull!<br />
  333. We have sent you an E-mail With a verification link. Please use the link to verify your account,
  334. and complete your registration.</p>
  335. </div>
  336. <a href="#" class="note__close">
  337. <i class="fa fa-times"></i>
  338. </a>
  339. </div>
  340. </div>
  341. ';
  342.  
  343. // Calling die or exit after performing a redirect using the header function
  344. // is critical. The rest of your PHP script will continue to execute and
  345. // will be sent to the user if you do not die or exit.
  346. die();
  347.  
  348. }
  349.  
  350.  
  351. //session to store input after die() function
  352. ?>
  353.  
  354. // A salt is randomly generated here to protect again brute force attacks
  355. // and rainbow table attacks. The following statement generates a hex
  356. // representation of an 8 byte salt. Representing this in hex provides
  357. // no additional security, but makes it easier for humans to read.
  358. // For more information:
  359. // http://en.wikipedia.org/wiki/Salt_%28cryptography%29
  360. // http://en.wikipedia.org/wiki/Brute-force_attack
  361. // http://en.wikipedia.org/wiki/Rainbow_table
  362. $salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647));
  363.  
  364. // This hashes the password with the salt so that it can be stored securely
  365. // in your database. The output of this next statement is a 64 byte hex
  366. // string representing the 32 byte sha256 hash of the password. The original
  367. // password cannot be recovered from the hash. For more information:
  368. // http://en.wikipedia.org/wiki/Cryptographic_hash_function
  369. $password = hash('sha256', $_POST['password'] . $salt);
  370.  
  371. // Next we hash the hash value 65536 more times. The purpose of this is to
  372. // protect against brute force attacks. Now an attacker must compute the hash 65537
  373. // times for each guess they make against a password, whereas if the password
  374. // were hashed only once the attacker would have been able to make 65537 different
  375. // guesses in the same amount of time instead of only one.
  376. for($round = 0; $round < 65536; $round++)
  377. {
  378. $password = hash('sha256', $password . $salt);
  379. }
  380.  
  381. // Here we prepare our tokens for insertion into the SQL query. We do not
  382. // store the original password; only the hashed version of it. We do store
  383. // the salt (in its plaintext form; this is not a security risk).
  384. $query_params = array(
  385. ':username' => $_POST['username'],
  386. ':password' => $password,
  387. ':salt' => $salt,
  388. ':email' => $_POST['email']
  389. );
  390.  
  391. <?php
  392. // This variable will be used to re-display the user's username to them in the
  393. // login form if they fail to enter the correct password. It is initialized here
  394. // to an empty value, which will be shown if the user has not submitted the form.
  395. $submitted_username = '';
  396.  
  397. // This if statement checks to determine whether the login form has been submitted
  398. // If it has, then the login code is run, otherwise the form is displayed
  399. if(!empty($_POST))
  400. {
  401. // This query retreives the user's information from the database using
  402. // their username.
  403. $query = "
  404. SELECT
  405. *
  406. FROM users
  407. WHERE
  408. username = :username
  409. ";
  410.  
  411. // The parameter values
  412. $query_params = array(
  413. ':username' => $_POST['username']
  414. );
  415.  
  416. try
  417. {
  418. // Execute the query against the database
  419. $stmt = $db->prepare($query);
  420. $result = $stmt->execute($query_params);
  421. }
  422. catch(PDOException $ex)
  423. {
  424. // Note: On a production website, you should not output $ex->getMessage().
  425. // It may provide an attacker with helpful information about your code.
  426. die('
  427. <div class="container">
  428. <div class="flag note note--error">
  429. <div class="flag__image note__icon">
  430. <i class="fa fa-times"></i>
  431. </div>
  432. <div class="flag__body note__text">
  433. Something went wrong!<br />
  434. Something went wrong, and we where not able to process your sigin in information.
  435. </div>
  436. <a href="#" class="note__close">
  437. <i class="fa fa-times"></i>
  438. </a>
  439. </div>
  440. </div>
  441. ' . $ex->getMessage());
  442. }
  443.  
  444. // This variable tells us whether the user has successfully logged in or not.
  445. // We initialize it to false, assuming they have not.
  446. // If we determine that they have entered the right details, then we switch it to true.
  447. $login_ok = false;
  448.  
  449. // Retrieve the user data from the database. If $row is false, then the username
  450. // they entered is not registered.
  451. $row = $stmt->fetch();
  452. if($row)
  453. {
  454. // Using the password submitted by the user and the salt stored in the database,
  455. // we now check to see whether the passwords match by hashing the submitted password
  456. // and comparing it to the hashed version already stored in the database.
  457. $check_password = hash('sha256', $_POST['password'] . $row['salt']);
  458. for($round = 0; $round < 65536; $round++)
  459. {
  460. $check_password = hash('sha256', $check_password . $row['salt']);
  461. }
  462.  
  463. if($check_password === $row['password'])
  464. {
  465. // If they do, then we flip this to true
  466. $login_ok = true;
  467. }
  468. }
  469.  
  470. // If the user logged in successfully, then we send them to the private members-only page
  471. // Otherwise, we display a login failed message and show the login form again
  472. if($login_ok)
  473. {
  474.  
  475. // Here I am preparing to store the $row array into the $_SESSION by
  476. // removing the salt and password values from it. Although $_SESSION is
  477. // stored on the server-side, there is no reason to store sensitive values
  478. // in it unless you have to. Thus, it is best practice to remove these
  479. // sensitive values first.
  480. unset($row['salt']);
  481. unset($row['password']);
  482.  
  483. // This stores the user's data into the session at the index 'user'.
  484. // We will check this index on the private members-only page to determine whether
  485. // or not the user is logged in. We can also use it to retrieve
  486. // the user's details.
  487. $_SESSION['user'] = $row;
  488.  
  489. $username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8');
  490. $last_life_update = "UPDATE users SET last_seen = now() WHERE username = '$username'";
  491. $db->query($last_life_update);
  492. // Redirect the user to the private members-only page.
  493. ?>
  494.  
  495. <!--I use script to redirect instead of PHP because some <meta> tags
  496. disables the header("Location:"); function. -->
  497. <script type="text/javascript">document.location.href="/";</script>
  498.  
  499. <?php
  500. }
  501. else
  502. {
  503. // Tell the user they failed
  504. print('
  505. <div class="container">
  506. <div class="flag note note--error">
  507. <div class="flag__image note__icon">
  508. <i class="fa fa-times"></i>
  509. </div>
  510. <div class="flag__body note__text">
  511. Something went wrong!<br />
  512. We where not able to verify your account details, please try again.
  513. </div>
  514. <a href="#" class="note__close">
  515. <i class="fa fa-times"></i>
  516. </a>
  517. </div>
  518. </div>
  519. ');
  520.  
  521. // Show them their username again so all they have to do is enter a new
  522. // password. The use of htmlentities prevents XSS attacks. You should
  523. // always use htmlentities on user submitted values before displaying them
  524. // to any users (including the user that submitted them). For more information:
  525. // http://en.wikipedia.org/wiki/XSS_attack
  526. $submitted_username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8');
  527. }
  528. }
  529. ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!