Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- //|-------------------------------------------------|
- //| Author of this script is: BitSec |
- //| Day of Publication: 4-3-2017 (mm-dd-yy) |
- //| if you would like to distribute this script |
- //| on other forums then leave this here! |
- //|-------------------------------------------------|
- include 'connect.php';
- //some settings for easy management
- //for $usernamemax and min you need to add 1 to what you want the max length to be
- $usernamemaxchars = '26';
- $usernameminchars = '3';
- //with website name please include www. if your site is unaccessable without (you can test it by going to your website without www. if it works then www. is not needed)
- $websitename = 'localhost';
- $websitenorep = 'no-reply$localhost.com';
- //set the login script page link in here
- $loginpage = '';
- //set this to 1 if you dont want a email verification. (the next tutorial will be an tutorial about how verification script)
- // you will find a link at the bottom of the post when the tutorial is online.
- $ranksetting = 0;
- //check if the username is not empty/set
- if (isset($_POST['username'])) {
- //check if the username is between the 3 and 25 chars
- if ((strlen($_POST['username']) < $usernamemaxchars) && (strlen($_POST['username']) > $usernameminchars)) {
- //check if the username contains any not allowed chars (allowed chars are a to z A to Z 0 to 9 and _ and .)
- if (!preg_match("/[^a-zA-Z0-9_\-.]/", $_POST['username'])) {
- //create a query that selects the username from the table users where the username is equal to the username entered by the user
- $query = $conn->prepare('SELECT username FROM users WHERE username = :username;');
- //bind the parameters (protection agains SQL injections)
- $query->bindparam(':username', $_POST['username']);
- //Run the query in the database
- $query->execute();
- //get number of results of the query
- $result = $query->rowCount();
- //check if the results is empty because that means no other user has this username.
- if ($result == 0) {
- //set the variable username to the username the user has posted
- $username = $_POST['username'];
- //if a check returns false then echo the error message and stop the php code from running
- }else{echo "The username you`ve entered is already in use"; exit();}
- }else{echo "username can only have letters, numbers, underscore and a dot"; exit();}
- }else{echo "username needs to be at least 2chars long and max 25chars long"; exit();}
- }else{echo "you need to fill in a username"; exit();}
- //check if the user filled in an password and a retypepassword field
- if ((isset($_POST['password'])) && (isset($_POST['retypepassword']))) {
- //check if the passwords match eachother (just a security on typos)
- if ($_POST['password'] == $_POST['retypepassword']) {
- //check if the password is at least 2 chars long (we dont want anyone to have an empty password)
- if (strlen($_POST['password'] > $usernameminchars)) {
- //when everything is good set the variable to the password the user has entered in the password field
- $password = $_POST['password'];
- //if something returns false then is is not good. So we stop the php code from running and we return an error message so the user knows whats wrong.
- }else{echo "password needs to be at least 2 characters long"; exit();}
- }else{echo "the passwords you`ve entered do not match"; exit();}
- }else{echo "you need to fill in a password and retype it"; exit();}
- //check if the user filled in an email and if user has retyped the email to confirm it
- if ((isset($_POST['email'])) && (isset($_POST['retypeemail']))) {
- //check if the email is the same as the retypedemail because we dont want to store a wrong email address.
- if ($_POST['email'] == $_POST['retypeemail']) {
- //check if the email is a valid email address
- if (filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) {
- //crete a query that selects the email from the table users where the email equals the email entered by the user
- $query = $conn->prepare('SELECT email FROM users WHERE email = :email;');
- //bind parameters (protection against SQL inejctions)
- $query->bindparam(':email', $_POST['email']);
- //execute the query
- $query->execute();
- //run the query in the database
- $result = $query->rowCount();
- //check if the results is empty because that means no other user has this email so we can use it :)
- if ($result == 0) {
- //set variable to the users email so we can use it later in the code.
- $email = $_POST['email'];
- //if something returns false then is is not good. So we stop the php code from running and we return an error message so the user knows whats wrong.
- }else{echo "the email you`ve entered is already in use"; exit();}
- }else{echo "the email you`ve entered is not a valid email address"; exit();}
- }else{echo "the email addresses you`ve entered do not match"; exit();}
- }else{echo "you need to fill in your email and retypeemail"; exit();}
- //check if the refferal is empty or not (because a refferal isnt needed we dont show a message if the refferal is empty)
- if (isset($_POST['refferal'])) {
- if ($_POST['refferal'] !== "") {
- //check if the refferal is between the 3 and 25 chars
- if ((strlen($_POST['refferal'] < $usernamemaxchars)) && (strlen($_POST['refferal'] > $usernameminchars))) {
- //check if the refferal contains any not allowed chars (allowed chars are a to z A to Z 0 to 9 and _ and .)
- if (!preg_match("/[^a-zA-Z0-9_\-.]/", $_POST['refferal'])) {
- //create a query that selects the refferal from the table users where the refferal is equal to the refferal entered by the user
- $query = $conn->prepare('SELECT username FROM users WHERE username = :refferal;');
- //bind the parameters (protection agains SQL injections)
- $query->bindparam(':refferal', $_POST['refferal']);
- //Run the query in the database
- $query->execute();
- //get the number of results from the query
- $result = $query->rowCount();
- //check if the results is empty becaase if the refferal doesnt exsist then we cant give him a refferal point (or an other reward for POSTting players to join)
- if ($result != 0) {
- //set the variable refferal to the refferal the user has posted
- $refferal = $_POST['refferal'];
- //if a check returns false then echo the error message and stop the php code from running
- }else{echo "The refferal you`ve entered does not exsist"; exit();}
- }else{echo "refferal can only have letters, numbers, underscore and a dot"; exit();}
- }else{echo "refferal name is to short or to long"; exit();}
- //we are not setting an error message here because the refferal is not needed to fill in
- }
- }
- // A higher "cost" is more secure but consumes more processing power
- //if you would like to know more about password hashing then check the links below :)
- $cost = 10;
- // Create a random salt
- $salt = strtr(base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)), '+', '.');
- // Here we are setting prefix information about the hash so PHP knows how to verify it later so we can check if the password is really the users password.
- // "$2a$" Means we are using the Blowfish algorithm. The following two digits are the cost parameters.
- $salt = sprintf("$2a$%02d$", $cost) . $salt;
- // Hash the password with the salt
- $password = crypt($password, $salt);
- //After we have checked all the Value that the user can post on errors we will continue to the real register script
- //insert our new user into our database so he can login the next time he visited
- //dont want a email verif system? Set the 0 to a 1 at the right from NULL and VALUES --------v--------
- $query = $conn->prepare('INSERT INTO users (rank, username, password, email, Date, Refferals) VALUES ('.$ranksetting.', :username, :password, :email, NOW(), 0');
- //bind some params (security against SQL injections) but i hope you know how you can bind params by now
- $query->bindparam(':username', $username);
- $query->bindparam(':password', $password);
- $query->bindparam(':email', $email);
- //Execute the query but i think you already know by now :)
- $query->execute();
- //here we are setting some sessions. we have two options to do here.
- //1. we can redirect them to their user profile without them having to login. OR
- //2. we can first send them a verification email wich will also use the sessions to redirect them to the user profile without having them to login
- $_SESSION['username'] = $username;
- //we dont need to encrypt ot secure the password because we already have that at lines 118 - 129
- $_SESSION['password'] = $password;
- //the rank in the database is zero but im also setting a session to zero so we dont have to use a database to check if they are allowed to login.
- //i will set the rank in the session and in the database to 1 once they have verified their email address. and then they can go to their homepage without having to login first.
- //Dont want a email verif system? just set the 0 to a 1
- $_SESSION['rank'] = $ranksetting;
- if ($ranksetting == 0) {
- //dont want a email verif system? remove this block of code until 2 blank spaces
- // Hash the username with the salt
- $hash = crypt($username, $salt);
- //setting the actual link variable
- //set verif.php to whatever your verify system is. in my case its called verif.php
- if ($refferal > 0) {
- $veriflink = $websitename.'/verify.php?v='.$hash.'&u='.$username.'&r='.$refferal;
- }else{
- $veriflink = $websitename.'/verify.php?v='.$hash.'&u='.$username;
- }
- //so we will set some variables now to use for sending the email later. variables speak for themselves.
- $to = $email;
- //setting the subject (make sure the user knows where it came from)
- $subject = $websitename.' - Verification Email';
- //setting the message
- $message = '
- Hello '.$username.' you are receiving this message because you need to verify your email before you can login on our site.
- If you are not '.$username.' then just ignore or remove this message. Thanks!
- If you cannot click the link then just copy and paste it in your URL bar or Address bar
- Your verification link is: '.$veriflink;
- //setting some headers can containt (From, Reply-To, X-Mailer etc)
- $headers = 'From: '.$websitenorep;
- //So now we send an verification email for the user so he can verify himself.
- //we can later use the same system as the password check so we know the code is real.
- mail($to, $subject, $message, $headers);
- echo "Thank you for registering! please check your mailbox for the verification link";
- }else{
- //show congratz message or whatever you like.
- echo "You are now Member! You will be automaticly logged in less then 5 seconds!";
- //update the rank so we can log the user in without having to use the database.
- //because he/she has rank 0 by default so we want to change it to 1 wich equals Verified User (verif system also protects againts Account Duplicates)
- $_SESSION['rank'] = 1;
- //we are setting logged in to true because we want to log him in automaticly
- $_SESSION['LoggedIn'] = True;
- header('location: '.$redirectpage);
- }
- ?>
- Password Hashing Information:
- http://jeremykendall.net/2014/01/04/php-password-hashing-a-dead-simple-implementation/
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement