<?php/* * Copyright (C) 2013 peter * * This program is free software: yo

1. <?php
2. /*
3. * Copyright (C) 2013 peter
4. *
5. * This program is free software: you can redistribute it and/or modify
6. * it under the terms of the GNU General Public License as published by
7. * the Free Software Foundation, either version 3 of the License, or
8. * (at your option) any later version.
9. *
10. * This program is distributed in the hope that it will be useful,
11. * but WITHOUT ANY WARRANTY; without even the implied warranty of
12. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13. * GNU General Public License for more details.
14. *
15. * You should have received a copy of the GNU General Public License
16. * along with this program. If not, see <http://www.gnu.org/licenses/>.
17. */
18.  
19. include_once 'db_connect.php';
20.  
21. $error_msg = "";
22. if (isset($_POST['username'], $_POST['email'], $_POST['p'])) {
23. // Sanitize and validate the data passed in
24. $username = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_STRING);
25. $email = filter_input(INPUT_POST, 'email', FILTER_SANITIZE_EMAIL);
26. $email = filter_var($email, FILTER_VALIDATE_EMAIL);
27. if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
28. // Not a valid email
29. $error_msg .= '<p class="error">The email address you entered is not valid</p>';
30. }
31.  
32. $password = filter_input(INPUT_POST, 'p', FILTER_SANITIZE_STRING);
33. if (strlen($password) != 128) {
34. // The hashed pwd should be 128 characters long.
35. // If it's not, something really odd has happened
36. $error_msg .= '<p class="error">Invalid password configuration.</p>';
37. }
38. // Username validity and password validity have been checked client side.
39. // This should should be adequate as nobody gains any advantage from
40. // breaking these rules.
41. //
42.  
43. $prep_stmt = "SELECT id FROM accounts WHERE email = ? LIMIT 1";
44. $stmt = $mysqli->prepare($prep_stmt);
45.  
46. if ($stmt) {
47. $stmt->bind_param('s', $email);
48. $stmt->execute();
49. $stmt->store_result();
50.  
51. if ($stmt->num_rows == 1) {
52. // A user with this email address already exists
53. $error_msg .= '<p class="error">A user with this email address already exists.</p>';
54. }
55. } else {
56. $error_msg .= '<p class="error">Database error</p>';
57. }
58.  
59. // TODO:
60. // We'll also have to account for the situation where the user doesn't have
61. // rights to do registration, by checking what type of user is attempting to
62. // perform the operation.
63. if (empty($error_msg)) {
64. // Create a random salt
65. $random_salt = hash('whirlpool', uniqid(openssl_random_pseudo_bytes(16), TRUE));
66. // Create salted password
67. $passwordhash = hash('whirlpool', $password . $random_salt);
68. $password = strtoupper($passwordhash);
69.  
70. // Insert the new user into the database
71. if ($insert_stmt = $mysqli->prepare("INSERT INTO accounts (username, email, password, salt) VALUES (?, ?, ?, ?)")) {
72. $insert_stmt->bind_param('ssss', $username, $email, $password, $random_salt);
73. // Execute the prepared query.
74. if (! $insert_stmt->execute()) {
75. header('Location: ../error.php?err=Registration failure: INSERT');
76. exit();
77. }
78. }
79. header('Location: ./register_success.php');
80. exit();
81. }
82. }