Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- /* Require settings for the server. */
- require_once('settings.php');
- /* Require a MySQLi Connection. */
- require_once('mySQLiConnection.php');
- /* Set a SHA-512 session ID for the user's session. */
- session_id(hash_hmac('sha512', time(), AUTH_KEY));
- /* All visitors on the site shall have a session.
- If logged in; add information to the session. */
- session_start();
- /* Require the HTML DOM-Tree. */
- require_once('html.php');
- $action = 'index';
- if (isset($_REQUEST['action'])) {
- $action = trim($_REQUEST['action']);
- }
- if ($action == 'register') {
- require 'register.php';
- }
- ?>
- <?php
- /* Create a SHA-512 hash to give the registration form an a hidden
- input field to validate the form coming trough from CSRF.
- @see http://php.net/manual/en/function.hash-hmac.php */
- $_SESSION['formToken'] = hash_hmac('sha512', time(), AUTH_KEY);
- ?>
- <!DOCTYPE html>
- <html>
- <head>
- <title>
- Account Management
- </title>
- </head>
- <body>
- <h1>
- Register an account
- </h1>
- <form action = "?action=register" method = "POST">
- <input type = "hidden" name = "<?php echo 'token'; ?>" value = "<?php echo $_SESSION['formToken']; ?>"/>
- <table>
- <tr>
- <td>
- <label>
- Username:
- </label>
- </td>
- <td>
- <input name = "username" type = "text"/>
- </td>
- </tr>
- <tr>
- <td>
- <label>
- Password:
- </label>
- </td>
- <td>
- <input name = "password01" type = "password"/>
- </td>
- </tr>
- <tr>
- <td>
- <label>
- Confirm Password:
- </label>
- </td>
- <td>
- <input name = "password02" type = "password"/>
- </td>
- </tr>
- <tr>
- <td>
- <label>
- E-mail:
- </label>
- </td>
- <td>
- <input name = "email" type = "text"/>
- </td>
- </tr>
- <tr>
- <td colspan = "2">
- <input type = "submit" value = "Register"/>
- </td>
- </tr>
- </table>
- </form>
- </body>
- </html>
- <?php
- /**
- * Create an array of whitelisted form-fields to prevent external posting.
- */
- $whitelist = array('token', 'username', 'password01', 'password02', 'email');
- /**
- * Final array containing the whitelisted information wanted.
- */
- $formDATA = array();
- /* Extract those entries in $_POST which match elements in whitelist. */
- foreach ($whitelist as $key) {
- /* If the entry is not empty... */
- if ($_POST[$key] != '') {
- //Transferr the entry to the final array.
- $formDATA[$key] = $_POST[$key];
- } else {
- die('<label class = "message" id = "error">One or more of the credential fields are missing content.</label>');
- }
- }
- /* For troubleshooting - These two end up completely different! */
- var_dump($formDATA['token']);
- var_dump($_SESSION['formToken']);
- /* If the form token from the form's hidden input field does not match a token stored as a session variable,
- it's likely that somebody are preforming CSRF where they don't get the token from the server. */
- if ($formDATA['token'] != $_SESSION['formToken']) {
- die('<label class = "message" id = "error">The form that the data is being submitted from seems not to come from our official site.<br>Please make sure you are using our form from ' . $_SERVER['HTTP_HOST'] . '</label>');
- }
- /* If the provided username is greater than 20 characters long... */
- if (strlen($formDATA['username']) >= 21) {
- die('<label class = "message" id = "error">Sorry, your account username needs to be 20 characters or less.</label>');
- }
- /* If the provided password is not more or equal to 8 characters,
- OR not equal or less than 20 characters long. (Between 8 and 20 characters)... */
- if (strlen($formDATA['password01']) <= 7 || strlen($formDATA['password01']) >= 21) {
- die('<label class = "message" id = "error">Sorry, your password needs to be between 8 to 20 characters and contain at least; one capital letter, one special character and one number.</label>');
- }
- /**
- * Prepare a statement to be queried to the database
- * which checks if there is allready a similar account.
- *
- * @see http://php.net/manual/en/mysqli.prepare.php
- */
- $statement = mysqli_prepare($sqlConnection, "SELECT username FROM `accounts` WHERE `username` = ?");
- /*
- * Bind parameters to the prepared statement's placeholders.
- * @see http://php.net/manual/en/mysqli-stmt.bind-param.php
- */
- if (!mysqli_stmt_bind_param($statement, "s", $formDATA['username'])) {
- die('<label class = "message" id = "error">MySQLi error ' . mysqli_errno($sqlConnection) . ': ' . mysqli_error($sqlConnection) . '</label>');
- }
- /* If MySQLi fails to execute the prepared statement... */
- if (!mysqli_stmt_execute($statement)) {
- die('<label class = "message" id = "error">MySQLi error ' . mysqli_errno($sqlConnection) . ': ' . mysqli_error($sqlConnection) . '</label>');
- }
- /* If the SQL query found another similar account in the database... */
- if (mysqli_stmt_fetch($statement) == true) {
- die('<label class = "message" id = "error">An account with a similar username allready exists.</label>');
- }
- /* Server-sided check if the two passwords provided do not match... */
- if ($formDATA['password01'] !== $formDATA['password02']) {
- die('<label class = "message" id = "error">The two passwords do not match.</label>');
- }
- /**
- * Add the NONCE key to the provided password and hash it
- * with the site key using SHA-512 to increase security.
- *
- * @see http://php.net/manual/en/function.hash-hmac.php
- */
- $hashedPassword = hash_hmac('sha512', $formDATA['password01'] . NONCE_KEY, SITE_KEY);
- /**
- * Prepare a statement to be queried to the database
- * which instert the account into the database.
- * @see http://php.net/manual/en/mysqli.prepare.php
- */
- $statement = mysqli_prepare($sqlConnection, "INSERT INTO `accounts` (`username`, `password`, `email`, `registered`, `sessionID`) VALUES (?, ?, ?, ?, ?)");
- /**
- * Bind parameters to the prepared statement's placeholders.
- * @see http://php.net/manual/en/mysqli-stmt.bind-param.php
- * http://php.net/manual/en/function.time.php
- */
- if (!mysqli_stmt_bind_param($statement, "sssi", $formDATA['username'], $hashedPassword, $formDATA['email'], time(), session_id())) {
- die('<label class = "message" id = "error">MySQLi error ' . mysqli_errno($sqlConnection) . ': ' . mysqli_error($sqlConnection) . '</label>');
- }
- /**
- * Execute the query and register the new account.
- * @see http://php.net/manual/en/mysqli-stmt.execute.php
- */
- if (!mysqli_stmt_execute($statement)) {
- die('<label class = "message" id = "error">MySQLi error ' . mysqli_errno($sqlConnection) . ': ' . mysqli_error($sqlConnection) . '</label>');
- }
- /* Print a sucess message for account registration. */
- echo '<label class = "message" id = "success">Congratulations, the account ' . $formDATA['username'] . ' was sucessfully registered.</label>';
- ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement