Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // check length of $_POST['username']
- if (strlen($_POST['username']) <3){
- echo('
- <div class="container">
- <div class="flag note note--error">
- <div class="flag__image note__icon">
- <i class="fa fa-times"></i>
- </div>
- <div class="flag__body note__text">
- Something went wrong!<br />
- The username is too short (requier atleast 3 characters).
- </div>
- <a href="#" class="note__close">
- <i class="fa fa-times"></i>
- </a>
- </div>
- </div>
- ');
- include $_SERVER["DOCUMENT_ROOT"] . "/assets/php/signup-save.php";
- die();
- }
- // check length of $_POST['password']
- if (strlen($_POST['password']) <5){
- echo('
- <div class="container">
- <div class="flag note note--error">
- <div class="flag__image note__icon">
- <i class="fa fa-times"></i>
- </div>
- <div class="flag__body note__text">
- Something went wrong!<br />
- Your password is too short (requier atleast 5 characters)!
- </div>
- <a href="#" class="note__close">
- <i class="fa fa-times"></i>
- </a>
- </div>
- </div>
- ');
- include $_SERVER["DOCUMENT_ROOT"] . "/assets/php/signup-save.php";
- die();
- }
- // Ensure that the user has entered a non-empty username
- if(empty($_POST['username']))
- {
- // Note that die() is generally a terrible way of handling user errors
- // like this. It is much better to display the error with the form
- // and allow the user to correct their mistake. However, that is an
- // exercise for you to implement yourself. ;
- echo('
- <div class="container">
- <div class="flag note note--error">
- <div class="flag__image note__icon">
- <i class="fa fa-times"></i>
- </div>
- <div class="flag__body note__text">
- Something went wrong!<br />
- Please enter a username.
- </div>
- <a href="#" class="note__close">
- <i class="fa fa-times"></i>
- </a>
- </div>
- </div>
- ');
- include $_SERVER["DOCUMENT_ROOT"] . "/assets/php/signup-save.php";
- die();
- }
- // Ensure that the user has entered a non-empty password
- if(empty($_POST['password']))
- {
- echo('
- <div class="container">
- <div class="flag note note--error">
- <div class="flag__image note__icon">
- <i class="fa fa-times"></i>
- </div>
- <div class="flag__body note__text">
- Something went wrong!<br />
- Password cant be empty.
- </div>
- <a href="#" class="note__close">
- <i class="fa fa-times"></i>
- </a>
- </div>
- </div>
- ');
- include $_SERVER["DOCUMENT_ROOT"] . "/assets/php/signup-save.php";
- die();
- }
- // Make sure the user entered a valid E-Mail address
- // filter_var is a useful PHP function for validating form input, see:
- // http://us.php.net/manual/en/function.filter-var.php
- // http://us.php.net/manual/en/filter.filters.php
- if(!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL))
- {
- echo('
- <div class="container">
- <div class="flag note note--error">
- <div class="flag__image note__icon">
- <i class="fa fa-times"></i>
- </div>
- <div class="flag__body note__text">
- Something went wrong!<br />
- Please enter a valid E-mail address.
- </div>
- <a href="#" class="note__close">
- <i class="fa fa-times"></i>
- </a>
- </div>
- </div>
- ');
- include $_SERVER["DOCUMENT_ROOT"] . "/assets/php/signup-save.php";
- die();
- }
- // We will use this SQL query to see whether the username entered by the
- // user is already in use. A SELECT query is used to retrieve data from the database.
- // :username is a special token, we will substitute a real value in its place when
- // we execute the query.
- $query = "
- SELECT
- 1
- FROM users
- WHERE
- username = :username
- ";
- // This contains the definitions for any special tokens that we place in
- // our SQL query. In this case, we are defining a value for the token
- // :username. It is possible to insert $_POST['username'] directly into
- // your $query string; however doing so is very insecure and opens your
- // code up to SQL injection exploits. Using tokens prevents this.
- // For more information on SQL injections, see Wikipedia:
- // http://en.wikipedia.org/wiki/SQL_Injection
- $query_params = array(
- ':username' => $_POST['username']
- );
- try
- {
- // These two statements run the query against your database table.
- $stmt = $db->prepare($query);
- $result = $stmt->execute($query_params);
- }
- catch(PDOException $ex)
- {
- // Note: On a production website, you should not output $ex->getMessage().
- // It may provide an attacker with helpful information about your code.
- echo('
- <div class="container">
- <div class="flag note note--error">
- <div class="flag__image note__icon">
- <i class="fa fa-times"></i>
- </div>
- <div class="flag__body note__text">
- Something went wrong!<br />
- We where not able to process your information.
- </div>
- <a href="#" class="note__close">
- <i class="fa fa-times"></i>
- </a>
- </div>
- </div>
- ' . $ex->getMessage());
- include $_SERVER["DOCUMENT_ROOT"] . "/assets/php/signup-save.php";
- die();
- }
- // The fetch() method returns an array representing the "next" row from
- // the selected results, or false if there are no more rows to fetch.
- $row = $stmt->fetch();
- // If a row was returned, then we know a matching username was found in
- // the database already and we should not allow the user to continue.
- if($row)
- {
- echo('
- <div class="container">
- <div class="flag note note--error">
- <div class="flag__image note__icon">
- <i class="fa fa-times"></i>
- </div>
- <div class="flag__body note__text">
- Something went wrong!<br />
- Username is already taken
- </div>
- <a href="#" class="note__close">
- <i class="fa fa-times"></i>
- </a>
- </div>
- </div>
- ');
- include $_SERVER["DOCUMENT_ROOT"] . "/assets/php/signup-save.php";
- die();
- }
- // Now we perform the same type of check for the email address, in order
- // to ensure that it is unique.
- $query = "
- SELECT
- 1
- FROM users
- WHERE
- email = :email
- ";
- $query_params = array(
- ':email' => $_POST['email']
- );
- try
- {
- $stmt = $db->prepare($query);
- $result = $stmt->execute($query_params);
- }
- catch(PDOException $ex)
- {
- echo('
- <div class="container">
- <div class="flag note note--error">
- <div class="flag__image note__icon">
- <i class="fa fa-times"></i>
- </div>
- <div class="flag__body note__text">
- Something went wrong!<br />
- We where not able to process your information. Please try again.
- </div>
- <a href="#" class="note__close">
- <i class="fa fa-times"></i>
- </a>
- </div>
- </div>
- ' . $ex->getMessage());
- include $_SERVER["DOCUMENT_ROOT"] . "/assets/php/signup-save.php";
- die();
- }
- $row = $stmt->fetch();
- if($row)
- {
- echo('
- <div class="container">
- <div class="flag note note--error">
- <div class="flag__image note__icon">
- <i class="fa fa-times"></i>
- </div>
- <div class="flag__body note__text">
- Something went wrong!<br />
- E-mail address is already taken.
- </div>
- <a href="#" class="note__close">
- <i class="fa fa-times"></i>
- </a>
- </div>
- </div>
- ');
- include $_SERVER["DOCUMENT_ROOT"] . "/assets/php/signup-save.php";
- die();
- }
- // An INSERT query is used to add new rows to a database table.
- // Again, we are using special tokens (technically called parameters) to
- // protect against SQL injection attacks.
- $query = "
- INSERT INTO users (
- username,
- password,
- email
- ) VALUES (
- :username,
- :password,
- :email
- )
- ";
- $password = password_hash($_POST['password']);
- // Here we prepare our tokens for insertion into the SQL query. We do not
- // store the original password; only the hashed version of it. We do store
- // the salt (in its plaintext form; this is not a security risk).
- $query_params = array(
- ':username' => $_POST['username'],
- ':password' => $password,
- ':email' => $_POST['email']
- );
- try
- {
- // Execute the query to create the user
- $stmt = $db->prepare($query);
- $result = $stmt->execute($query_params);
- }
- catch(PDOException $ex)
- {
- // Note: On a production website, you should not output $ex->getMessage().
- // It may provide an attacker with helpful information about your code.
- echo('
- <div class="container">
- <div class="flag note note--error">
- <div class="flag__image note__icon">
- <i class="fa fa-times"></i>
- </div>
- <div class="flag__body note__text">
- Something went wrong!<br />
- We where not able to process your information. Please try again
- </div>
- <a href="#" class="note__close">
- <i class="fa fa-times"></i>
- </a>
- </div>
- </div>
- ' . $ex->getMessage());
- include $_SERVER["DOCUMENT_ROOT"] . "/assets/php/signup-save.php";
- die();
- }
- ob_clean();
- // This redirects the user back to the login page after they register
- echo'
- <div class="container">
- <div class="flag note note--info">
- <div class="flag__image note__icon">
- <i class="fa fa-info"></i>
- </div>
- <div class="flag__body note__text">
- <p>Successfull!<br />
- We have sent you an E-mail With a verification link. Please use the link to verify your account,
- and complete your registration.</p>
- </div>
- <a href="#" class="note__close">
- <i class="fa fa-times"></i>
- </a>
- </div>
- </div>
- ';
- // Calling die or exit after performing a redirect using the header function
- // is critical. The rest of your PHP script will continue to execute and
- // will be sent to the user if you do not die or exit.
- die();
- }
- //session to store input after die() function
- ?>
- // A salt is randomly generated here to protect again brute force attacks
- // and rainbow table attacks. The following statement generates a hex
- // representation of an 8 byte salt. Representing this in hex provides
- // no additional security, but makes it easier for humans to read.
- // For more information:
- // http://en.wikipedia.org/wiki/Salt_%28cryptography%29
- // http://en.wikipedia.org/wiki/Brute-force_attack
- // http://en.wikipedia.org/wiki/Rainbow_table
- $salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647));
- // This hashes the password with the salt so that it can be stored securely
- // in your database. The output of this next statement is a 64 byte hex
- // string representing the 32 byte sha256 hash of the password. The original
- // password cannot be recovered from the hash. For more information:
- // http://en.wikipedia.org/wiki/Cryptographic_hash_function
- $password = hash('sha256', $_POST['password'] . $salt);
- // Next we hash the hash value 65536 more times. The purpose of this is to
- // protect against brute force attacks. Now an attacker must compute the hash 65537
- // times for each guess they make against a password, whereas if the password
- // were hashed only once the attacker would have been able to make 65537 different
- // guesses in the same amount of time instead of only one.
- for($round = 0; $round < 65536; $round++)
- {
- $password = hash('sha256', $password . $salt);
- }
- // Here we prepare our tokens for insertion into the SQL query. We do not
- // store the original password; only the hashed version of it. We do store
- // the salt (in its plaintext form; this is not a security risk).
- $query_params = array(
- ':username' => $_POST['username'],
- ':password' => $password,
- ':salt' => $salt,
- ':email' => $_POST['email']
- );
- <?php
- // This variable will be used to re-display the user's username to them in the
- // login form if they fail to enter the correct password. It is initialized here
- // to an empty value, which will be shown if the user has not submitted the form.
- $submitted_username = '';
- // This if statement checks to determine whether the login form has been submitted
- // If it has, then the login code is run, otherwise the form is displayed
- if(!empty($_POST))
- {
- // This query retreives the user's information from the database using
- // their username.
- $query = "
- SELECT
- *
- FROM users
- WHERE
- username = :username
- ";
- // The parameter values
- $query_params = array(
- ':username' => $_POST['username']
- );
- try
- {
- // Execute the query against the database
- $stmt = $db->prepare($query);
- $result = $stmt->execute($query_params);
- }
- catch(PDOException $ex)
- {
- // Note: On a production website, you should not output $ex->getMessage().
- // It may provide an attacker with helpful information about your code.
- die('
- <div class="container">
- <div class="flag note note--error">
- <div class="flag__image note__icon">
- <i class="fa fa-times"></i>
- </div>
- <div class="flag__body note__text">
- Something went wrong!<br />
- Something went wrong, and we where not able to process your sigin in information.
- </div>
- <a href="#" class="note__close">
- <i class="fa fa-times"></i>
- </a>
- </div>
- </div>
- ' . $ex->getMessage());
- }
- // This variable tells us whether the user has successfully logged in or not.
- // We initialize it to false, assuming they have not.
- // If we determine that they have entered the right details, then we switch it to true.
- $login_ok = false;
- // Retrieve the user data from the database. If $row is false, then the username
- // they entered is not registered.
- $row = $stmt->fetch();
- if($row)
- {
- // Using the password submitted by the user and the salt stored in the database,
- // we now check to see whether the passwords match by hashing the submitted password
- // and comparing it to the hashed version already stored in the database.
- $check_password = hash('sha256', $_POST['password'] . $row['salt']);
- for($round = 0; $round < 65536; $round++)
- {
- $check_password = hash('sha256', $check_password . $row['salt']);
- }
- if($check_password === $row['password'])
- {
- // If they do, then we flip this to true
- $login_ok = true;
- }
- }
- // If the user logged in successfully, then we send them to the private members-only page
- // Otherwise, we display a login failed message and show the login form again
- if($login_ok)
- {
- // Here I am preparing to store the $row array into the $_SESSION by
- // removing the salt and password values from it. Although $_SESSION is
- // stored on the server-side, there is no reason to store sensitive values
- // in it unless you have to. Thus, it is best practice to remove these
- // sensitive values first.
- unset($row['salt']);
- unset($row['password']);
- // This stores the user's data into the session at the index 'user'.
- // We will check this index on the private members-only page to determine whether
- // or not the user is logged in. We can also use it to retrieve
- // the user's details.
- $_SESSION['user'] = $row;
- $username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8');
- $last_life_update = "UPDATE users SET last_seen = now() WHERE username = '$username'";
- $db->query($last_life_update);
- // Redirect the user to the private members-only page.
- ?>
- <!--I use script to redirect instead of PHP because some <meta> tags
- disables the header("Location:"); function. -->
- <script type="text/javascript">document.location.href="/";</script>
- <?php
- }
- else
- {
- // Tell the user they failed
- print('
- <div class="container">
- <div class="flag note note--error">
- <div class="flag__image note__icon">
- <i class="fa fa-times"></i>
- </div>
- <div class="flag__body note__text">
- Something went wrong!<br />
- We where not able to verify your account details, please try again.
- </div>
- <a href="#" class="note__close">
- <i class="fa fa-times"></i>
- </a>
- </div>
- </div>
- ');
- // Show them their username again so all they have to do is enter a new
- // password. The use of htmlentities prevents XSS attacks. You should
- // always use htmlentities on user submitted values before displaying them
- // to any users (including the user that submitted them). For more information:
- // http://en.wikipedia.org/wiki/XSS_attack
- $submitted_username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8');
- }
- }
- ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement