API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jul 1st, 2017
96
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.88 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2. /* Require settings for the server. */
  3. require_once('settings.php');
  4.  
  5. /* Require a MySQLi Connection. */
  6. require_once('mySQLiConnection.php');
  7.  
  8. /* Set a SHA-512 session ID for the user's session. */
  9. session_id(hash_hmac('sha512', time(), AUTH_KEY));
  10.  
  11. /* All visitors on the site shall have a session.
  12. If logged in; add information to the session. */
  13. session_start();
  14.  
  15. /* Require the HTML DOM-Tree. */
  16. require_once('html.php');
  17.  
  18. $action = 'index';
  19.  
  20. if (isset($_REQUEST['action'])) {
  21. $action = trim($_REQUEST['action']);
  22. }
  23.  
  24. if ($action == 'register') {
  25. require 'register.php';
  26. }
  27. ?>
  28.  
  29. <?php
  30. /* Create a SHA-512 hash to give the registration form an a hidden
  31. input field to validate the form coming trough from CSRF.
  32. @see http://php.net/manual/en/function.hash-hmac.php */
  33. $_SESSION['formToken'] = hash_hmac('sha512', time(), AUTH_KEY);
  34. ?>
  35.  
  36. <!DOCTYPE html>
  37. <html>
  38. <head>
  39. <title>
  40. Account Management
  41. </title>
  42. </head>
  43.  
  44. <body>
  45. <h1>
  46. Register an account
  47. </h1>
  48.  
  49. <form action = "?action=register" method = "POST">
  50. <input type = "hidden" name = "<?php echo 'token'; ?>" value = "<?php echo $_SESSION['formToken']; ?>"/>
  51.  
  52. <table>
  53. <tr>
  54. <td>
  55. <label>
  56. Username:
  57. </label>
  58. </td>
  59.  
  60. <td>
  61. <input name = "username" type = "text"/>
  62. </td>
  63. </tr>
  64.  
  65. <tr>
  66. <td>
  67. <label>
  68. Password:
  69. </label>
  70. </td>
  71.  
  72. <td>
  73. <input name = "password01" type = "password"/>
  74. </td>
  75. </tr>
  76.  
  77. <tr>
  78. <td>
  79. <label>
  80. Confirm Password:
  81. </label>
  82. </td>
  83.  
  84. <td>
  85. <input name = "password02" type = "password"/>
  86. </td>
  87. </tr>
  88.  
  89. <tr>
  90. <td>
  91. <label>
  92. E-mail:
  93. </label>
  94. </td>
  95.  
  96. <td>
  97. <input name = "email" type = "text"/>
  98. </td>
  99. </tr>
  100.  
  101. <tr>
  102. <td colspan = "2">
  103. <input type = "submit" value = "Register"/>
  104. </td>
  105. </tr>
  106. </table>
  107. </form>
  108. </body>
  109. </html>
  110.  
  111. <?php
  112. /**
  113. * Create an array of whitelisted form-fields to prevent external posting.
  114. */
  115. $whitelist = array('token', 'username', 'password01', 'password02', 'email');
  116.  
  117. /**
  118. * Final array containing the whitelisted information wanted.
  119. */
  120. $formDATA = array();
  121.  
  122. /* Extract those entries in $_POST which match elements in whitelist. */
  123. foreach ($whitelist as $key) {
  124. /* If the entry is not empty... */
  125. if ($_POST[$key] != '') {
  126. //Transferr the entry to the final array.
  127. $formDATA[$key] = $_POST[$key];
  128. } else {
  129. die('<label class = "message" id = "error">One or more of the credential fields are missing content.</label>');
  130. }
  131. }
  132.  
  133. /* For troubleshooting - These two end up completely different! */
  134. var_dump($formDATA['token']);
  135. var_dump($_SESSION['formToken']);
  136.  
  137. /* If the form token from the form's hidden input field does not match a token stored as a session variable,
  138. it's likely that somebody are preforming CSRF where they don't get the token from the server. */
  139. if ($formDATA['token'] != $_SESSION['formToken']) {
  140. die('<label class = "message" id = "error">The form that the data is being submitted from seems not to come from our official site.<br>Please make sure you are using our form from ' . $_SERVER['HTTP_HOST'] . '</label>');
  141. }
  142.  
  143. /* If the provided username is greater than 20 characters long... */
  144. if (strlen($formDATA['username']) >= 21) {
  145. die('<label class = "message" id = "error">Sorry, your account username needs to be 20 characters or less.</label>');
  146. }
  147.  
  148. /* If the provided password is not more or equal to 8 characters,
  149. OR not equal or less than 20 characters long. (Between 8 and 20 characters)... */
  150. if (strlen($formDATA['password01']) <= 7 || strlen($formDATA['password01']) >= 21) {
  151. die('<label class = "message" id = "error">Sorry, your password needs to be between 8 to 20 characters and contain at least; one capital letter, one special character and one number.</label>');
  152. }
  153.  
  154. /**
  155. * Prepare a statement to be queried to the database
  156. * which checks if there is allready a similar account.
  157. *
  158. * @see http://php.net/manual/en/mysqli.prepare.php
  159. */
  160. $statement = mysqli_prepare($sqlConnection, "SELECT username FROM `accounts` WHERE `username` = ?");
  161.  
  162. /*
  163. * Bind parameters to the prepared statement's placeholders.
  164. * @see http://php.net/manual/en/mysqli-stmt.bind-param.php
  165. */
  166. if (!mysqli_stmt_bind_param($statement, "s", $formDATA['username'])) {
  167. die('<label class = "message" id = "error">MySQLi error ' . mysqli_errno($sqlConnection) . ': ' . mysqli_error($sqlConnection) . '</label>');
  168. }
  169.  
  170. /* If MySQLi fails to execute the prepared statement... */
  171. if (!mysqli_stmt_execute($statement)) {
  172. die('<label class = "message" id = "error">MySQLi error ' . mysqli_errno($sqlConnection) . ': ' . mysqli_error($sqlConnection) . '</label>');
  173. }
  174.  
  175. /* If the SQL query found another similar account in the database... */
  176. if (mysqli_stmt_fetch($statement) == true) {
  177. die('<label class = "message" id = "error">An account with a similar username allready exists.</label>');
  178. }
  179.  
  180. /* Server-sided check if the two passwords provided do not match... */
  181. if ($formDATA['password01'] !== $formDATA['password02']) {
  182. die('<label class = "message" id = "error">The two passwords do not match.</label>');
  183. }
  184.  
  185. /**
  186. * Add the NONCE key to the provided password and hash it
  187. * with the site key using SHA-512 to increase security.
  188. *
  189. * @see http://php.net/manual/en/function.hash-hmac.php
  190. */
  191. $hashedPassword = hash_hmac('sha512', $formDATA['password01'] . NONCE_KEY, SITE_KEY);
  192.  
  193. /**
  194. * Prepare a statement to be queried to the database
  195. * which instert the account into the database.
  196. * @see http://php.net/manual/en/mysqli.prepare.php
  197. */
  198. $statement = mysqli_prepare($sqlConnection, "INSERT INTO `accounts` (`username`, `password`, `email`, `registered`, `sessionID`) VALUES (?, ?, ?, ?, ?)");
  199.  
  200. /**
  201. * Bind parameters to the prepared statement's placeholders.
  202. * @see http://php.net/manual/en/mysqli-stmt.bind-param.php
  203. * http://php.net/manual/en/function.time.php
  204. */
  205. if (!mysqli_stmt_bind_param($statement, "sssi", $formDATA['username'], $hashedPassword, $formDATA['email'], time(), session_id())) {
  206. die('<label class = "message" id = "error">MySQLi error ' . mysqli_errno($sqlConnection) . ': ' . mysqli_error($sqlConnection) . '</label>');
  207. }
  208.  
  209. /**
  210. * Execute the query and register the new account.
  211. * @see http://php.net/manual/en/mysqli-stmt.execute.php
  212. */
  213. if (!mysqli_stmt_execute($statement)) {
  214. die('<label class = "message" id = "error">MySQLi error ' . mysqli_errno($sqlConnection) . ': ' . mysqli_error($sqlConnection) . '</label>');
  215. }
  216.  
  217. /* Print a sucess message for account registration. */
  218. echo '<label class = "message" id = "success">Congratulations, the account ' . $formDATA['username'] . ' was sucessfully registered.</label>';
  219. ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!