<?PHP/* Registration/Login script from HTML Form Guide V1.0 T

1. <?PHP
2. /*
3. Registration/Login script from HTML Form Guide
4. V1.0
5.  
6. This program is free software published under the
7. terms of the GNU Lesser General Public License.
8. http://www.gnu.org/copyleft/lesser.html
9.  
10.  
11. This program is distributed in the hope that it will
12. be useful - WITHOUT ANY WARRANTY; without even the
13. implied warranty of MERCHANTABILITY or FITNESS FOR A
14. PARTICULAR PURPOSE.
15.  
16. For updates, please visit:
17. http://www.html-form-guide.com/php-form/php-registration-form.html
18. http://www.html-form-guide.com/php-form/php-login-form.html
19.  
20. */
21. require_once("class.phpmailer.php");
22. require_once("formvalidator.php");
23.  
24. class FGMembersite
25. {
26. var $admin_email;
27. var $from_address;
28.  
29. var $username;
30. var $pwd;
31. var $database;
32. var $tablename;
33. var $connection;
34. var $rand_key;
35.  
36. var $error_message;
37.  
38. //-----Initialization -------
39. function FGMembersite()
40. {
41. $this->sitename = 'YourWebsiteName.com';
42. $this->rand_key = '0iQx5oBk66oVZep';
43. }
44.  
45. function InitDB($host,$uname,$pwd,$database,$tablename)
46. {
47. $this->db_host = $host;
48. $this->username = $uname;
49. $this->pwd = $pwd;
50. $this->database = $database;
51. $this->tablename = $tablename;
52.  
53. }
54. function SetAdminEmail($email)
55. {
56. $this->admin_email = $email;
57. }
58.  
59. function SetWebsiteName($sitename)
60. {
61. $this->sitename = $sitename;
62. }
63.  
64. function SetRandomKey($key)
65. {
66. $this->rand_key = $key;
67. }
68.  
69. //-------Main Operations ----------------------
70. function RegisterUser()
71. {
72. if(!isset($_POST['submitted']))
73. {
74. return false;
75. }
76.  
77. $formvars = array();
78.  
79. if(!$this->ValidateRegistrationSubmission())
80. {
81. return false;
82. }
83.  
84. $this->CollectRegistrationSubmission($formvars);
85.  
86. if(!$this->SaveToDatabase($formvars))
87. {
88. return false;
89. }
90.  
91. if(!$this->SendUserConfirmationEmail($formvars))
92. {
93. return false;
94. }
95.  
96. $this->SendAdminIntimationEmail($formvars);
97.  
98. return true;
99. }
100.  
101. function ConfirmUser()
102. {
103. if(empty($_GET['code'])||strlen($_GET['code'])<=10)
104. {
105. $this->HandleError("Please provide the confirm code");
106. return false;
107. }
108. $user_rec = array();
109. if(!$this->UpdateDBRecForConfirmation($user_rec))
110. {
111. return false;
112. }
113.  
114. $this->SendUserWelcomeEmail($user_rec);
115.  
116. $this->SendAdminIntimationOnRegComplete($user_rec);
117.  
118. return true;
119. }
120.  
121. function Login()
122. {
123. if(empty($_POST['username']))
124. {
125. $this->HandleError("UserName is empty!");
126. return false;
127. }
128.  
129. if(empty($_POST['password']))
130. {
131. $this->HandleError("Password is empty!");
132. return false;
133. }
134.  
135. $username = trim($_POST['username']);
136. $password = trim($_POST['password']);
137.  
138. if(!isset($_SESSION)){ session_start(); }
139. if(!$this->CheckLoginInDB($username,$password))
140. {
141. return false;
142. }
143.  
144. $_SESSION[$this->GetLoginSessionVar()] = $username;
145.  
146. return true;
147. }
148.  
149. function CheckLogin()
150. {
151. if(!isset($_SESSION)){ session_start(); }
152.  
153. $sessionvar = $this->GetLoginSessionVar();
154.  
155. if(empty($_SESSION[$sessionvar]))
156. {
157. return false;
158. }
159. return true;
160. }
161.  
162. function UserFullName()
163. {
164. return isset($_SESSION['name_of_user'])?$_SESSION['name_of_user']:'';
165. }
166.  
167. function UserEmail()
168. {
169. return isset($_SESSION['email_of_user'])?$_SESSION['email_of_user']:'';
170. }
171.  
172. function LogOut()
173. {
174. session_start();
175.  
176. $sessionvar = $this->GetLoginSessionVar();
177.  
178. $_SESSION[$sessionvar]=NULL;
179.  
180. unset($_SESSION[$sessionvar]);
181. }
182.  
183. function EmailResetPasswordLink()
184. {
185. if(empty($_POST['email']))
186. {
187. $this->HandleError("Email is empty!");
188. return false;
189. }
190. $user_rec = array();
191. if(false === $this->GetUserFromEmail($_POST['email'], $user_rec))
192. {
193. return false;
194. }
195. if(false === $this->SendResetPasswordLink($user_rec))
196. {
197. return false;
198. }
199. return true;
200. }
201.  
202. function ResetPassword()
203. {
204. if(empty($_GET['email']))
205. {
206. $this->HandleError("Email is empty!");
207. return false;
208. }
209. if(empty($_GET['code']))
210. {
211. $this->HandleError("reset code is empty!");
212. return false;
213. }
214. $email = trim($_GET['email']);
215. $code = trim($_GET['code']);
216.  
217. if($this->GetResetPasswordCode($email) != $code)
218. {
219. $this->HandleError("Bad reset code!");
220. return false;
221. }
222.  
223. $user_rec = array();
224. if(!$this->GetUserFromEmail($email,$user_rec))
225. {
226. return false;
227. }
228.  
229. $new_password = $this->ResetUserPasswordInDB($user_rec);
230. if(false === $new_password || empty($new_password))
231. {
232. $this->HandleError("Error updating new password");
233. return false;
234. }
235.  
236. if(false == $this->SendNewPassword($user_rec,$new_password))
237. {
238. $this->HandleError("Error sending new password");
239. return false;
240. }
241. return true;
242. }
243.  
244. function ChangePassword()
245. {
246. if(!$this->CheckLogin())
247. {
248. $this->HandleError("Not logged in!");
249. return false;
250. }
251.  
252. if(empty($_POST['oldpwd']))
253. {
254. $this->HandleError("Old password is empty!");
255. return false;
256. }
257. if(empty($_POST['newpwd']))
258. {
259. $this->HandleError("New password is empty!");
260. return false;
261. }
262.  
263. $user_rec = array();
264. if(!$this->GetUserFromEmail($this->UserEmail(),$user_rec))
265. {
266. return false;
267. }
268.  
269. $pwd = trim($_POST['oldpwd']);
270.  
271. if($user_rec['password'] != md5($pwd))
272. {
273. $this->HandleError("The old password does not match!");
274. return false;
275. }
276. $newpwd = trim($_POST['newpwd']);
277.  
278. if(!$this->ChangePasswordInDB($user_rec, $newpwd))
279. {
280. return false;
281. }
282. return true;
283. }
284.  
285. //-------Public Helper functions -------------
286. function GetSelfScript()
287. {
288. return htmlentities($_SERVER['PHP_SELF']);
289. }
290.  
291. function SafeDisplay($value_name)
292. {
293. if(empty($_POST[$value_name]))
294. {
295. return'';
296. }
297. return htmlentities($_POST[$value_name]);
298. }
299.  
300. function RedirectToURL($url)
301. {
302. header("Location: $url");
303. exit;
304. }
305.  
306. function GetSpamTrapInputName()
307. {
308. return 'sp'.md5('KHGdnbvsgst'.$this->rand_key);
309. }
310.  
311. function GetErrorMessage()
312. {
313. if(empty($this->error_message))
314. {
315. return '';
316. }
317. $errormsg = nl2br(htmlentities($this->error_message));
318. return $errormsg;
319. }
320. //-------Private Helper functions-----------
321.  
322. function HandleError($err)
323. {
324. $this->error_message .= $err."\r\n";
325. }
326.  
327. function HandleDBError($err)
328. {
329. $this->HandleError($err."\r\n mysqlerror:".mysql_error());
330. }
331.  
332. function GetFromAddress()
333. {
334. if(!empty($this->from_address))
335. {
336. return $this->from_address;
337. }
338.  
339. $host = $_SERVER['SERVER_NAME'];
340.  
341. $from ="nobody@$host";
342. return $from;
343. }
344.  
345. function GetLoginSessionVar()
346. {
347. $retvar = md5($this->rand_key);
348. $retvar = 'usr_'.substr($retvar,0,10);
349. return $retvar;
350. }
351.  
352. function CheckLoginInDB($username,$password)
353. {
354. if(!$this->DBLogin())
355. {
356. $this->HandleError("Database login failed!");
357. return false;
358. }
359. $username = $this->SanitizeForSQL($username);
360. $pwdmd5 = md5($password);
361. $qry = "Select name, email from $this->tablename where username='$username' and password='$pwdmd5' and confirmcode='y'";
362.  
363. $result = mysql_query($qry,$this->connection);
364.  
365. if(!$result || mysql_num_rows($result) <= 0)
366. {
367. $this->HandleError("Error logging in. The username or password does not match");
368. return false;
369. }
370.  
371. $row = mysql_fetch_assoc($result);
372.  
373.  
374. $_SESSION['name_of_user'] = $row['name'];
375. $_SESSION['email_of_user'] = $row['email'];
376.  
377. return true;
378. }
379.  
380. function UpdateDBRecForConfirmation(&$user_rec)
381. {
382. if(!$this->DBLogin())
383. {
384. $this->HandleError("Database login failed!");
385. return false;
386. }
387. $confirmcode = $this->SanitizeForSQL($_GET['code']);
388.  
389. $result = mysql_query("Select name, email from $this->tablename where confirmcode='$confirmcode'",$this->connection);
390. if(!$result || mysql_num_rows($result) <= 0)
391. {
392. $this->HandleError("Wrong confirm code.");
393. return false;
394. }
395. $row = mysql_fetch_assoc($result);
396. $user_rec['name'] = $row['name'];
397. $user_rec['email']= $row['email'];
398.  
399. $qry = "Update $this->tablename Set confirmcode='y' Where confirmcode='$confirmcode'";
400.  
401. if(!mysql_query( $qry ,$this->connection))
402. {
403. $this->HandleDBError("Error inserting data to the table\nquery:$qry");
404. return false;
405. }
406. return true;
407. }
408.  
409. function ResetUserPasswordInDB($user_rec)
410. {
411. $new_password = substr(md5(uniqid()),0,10);
412.  
413. if(false == $this->ChangePasswordInDB($user_rec,$new_password))
414. {
415. return false;
416. }
417. return $new_password;
418. }
419.  
420. function ChangePasswordInDB($user_rec, $newpwd)
421. {
422. $newpwd = $this->SanitizeForSQL($newpwd);
423.  
424. $qry = "Update $this->tablename Set password='".md5($newpwd)."' Where id_user=".$user_rec['id_user']."";
425.  
426. if(!mysql_query( $qry ,$this->connection))
427. {
428. $this->HandleDBError("Error updating the password \nquery:$qry");
429. return false;
430. }
431. return true;
432. }
433.  
434. function GetUserFromEmail($email,&$user_rec)
435. {
436. if(!$this->DBLogin())
437. {
438. $this->HandleError("Database login failed!");
439. return false;
440. }
441. $email = $this->SanitizeForSQL($email);
442.  
443. $result = mysql_query("Select * from $this->tablename where email='$email'",$this->connection);
444.  
445. if(!$result || mysql_num_rows($result) <= 0)
446. {
447. $this->HandleError("There is no user with email: $email");
448. return false;
449. }
450. $user_rec = mysql_fetch_assoc($result);
451.  
452.  
453. return true;
454. }
455.  
456. function SendUserWelcomeEmail(&$user_rec)
457. {
458. $mailer = new PHPMailer();
459.  
460. $mailer->CharSet = 'utf-8';
461.  
462. $mailer->AddAddress($user_rec['email'],$user_rec['name']);
463.  
464. $mailer->Subject = "Welcome to ".$this->sitename;
465.  
466. $mailer->From = $this->GetFromAddress();
467.  
468. $mailer->Body ="Hello ".$user_rec['name']."\r\n\r\n".
469. "Welcome! Your registration with ".$this->sitename." is completed.\r\n".
470. "\r\n".
471. "Regards,\r\n".
472. "Webmaster\r\n".
473. $this->sitename;
474.  
475. if(!$mailer->Send())
476. {
477. $this->HandleError("Failed sending user welcome email.");
478. return false;
479. }
480. return true;
481. }
482.  
483. function SendAdminIntimationOnRegComplete(&$user_rec)
484. {
485. if(empty($this->admin_email))
486. {
487. return false;
488. }
489. $mailer = new PHPMailer();
490.  
491. $mailer->CharSet = 'utf-8';
492.  
493. $mailer->AddAddress($this->admin_email);
494.  
495. $mailer->Subject = "Registration Completed: ".$user_rec['name'];
496.  
497. $mailer->From = $this->GetFromAddress();
498.  
499. $mailer->Body ="A new user registered at ".$this->sitename."\r\n".
500. "Name: ".$user_rec['name']."\r\n".
501. "Email address: ".$user_rec['email']."\r\n";
502.  
503. if(!$mailer->Send())
504. {
505. return false;
506. }
507. return true;
508. }
509.  
510. function GetResetPasswordCode($email)
511. {
512. return substr(md5($email.$this->sitename.$this->rand_key),0,10);
513. }
514.  
515. function SendResetPasswordLink($user_rec)
516. {
517. $email = $user_rec['email'];
518.  
519. $mailer = new PHPMailer();
520.  
521. $mailer->CharSet = 'utf-8';
522.  
523. $mailer->AddAddress($email,$user_rec['name']);
524.  
525. $mailer->Subject = "Your reset password request at ".$this->sitename;
526.  
527. $mailer->From = $this->GetFromAddress();
528.  
529. $link = $this->GetAbsoluteURLFolder().
530. '/resetpwd.php?email='.
531. urlencode($email).'&code='.
532. urlencode($this->GetResetPasswordCode($email));
533.  
534. $mailer->Body ="Hello ".$user_rec['name']."\r\n\r\n".
535. "There was a request to reset your password at ".$this->sitename."\r\n".
536. "Please click the link below to complete the request: \r\n".$link."\r\n".
537. "Regards,\r\n".
538. "Webmaster\r\n".
539. $this->sitename;
540.  
541. if(!$mailer->Send())
542. {
543. return false;
544. }
545. return true;
546. }
547.  
548. function SendNewPassword($user_rec, $new_password)
549. {
550. $email = $user_rec['email'];
551.  
552. $mailer = new PHPMailer();
553.  
554. $mailer->CharSet = 'utf-8';
555.  
556. $mailer->AddAddress($email,$user_rec['name']);
557.  
558. $mailer->Subject = "Your new password for ".$this->sitename;
559.  
560. $mailer->From = $this->GetFromAddress();
561.  
562. $mailer->Body ="Hello ".$user_rec['name']."\r\n\r\n".
563. "Your password is reset successfully. ".
564. "Here is your updated login:\r\n".
565. "username:".$user_rec['username']."\r\n".
566. "password:$new_password\r\n".
567. "\r\n".
568. "Login here: ".$this->GetAbsoluteURLFolder()."/login.php\r\n".
569. "\r\n".
570. "Regards,\r\n".
571. "Webmaster\r\n".
572. $this->sitename;
573.  
574. if(!$mailer->Send())
575. {
576. return false;
577. }
578. return true;
579. }
580.  
581. function ValidateRegistrationSubmission()
582. {
583. //This is a hidden input field. Humans won't fill this field.
584. if(!empty($_POST[$this->GetSpamTrapInputName()]) )
585. {
586. //The proper error is not given intentionally
587. $this->HandleError("Automated submission prevention: case 2 failed");
588. return false;
589. }
590.  
591. $validator = new FormValidator();
592. $validator->addValidation("name","req","Please fill in Name");
593. $validator->addValidation("email","email","The input for Email should be a valid email value");
594. $validator->addValidation("email","req","Please fill in Email");
595. $validator->addValidation("username","req","Please fill in UserName");
596. $validator->addValidation("password","req","Please fill in Password");
597.  
598.  
599. if(!$validator->ValidateForm())
600. {
601. $error='';
602. $error_hash = $validator->GetErrors();
603. foreach($error_hash as $inpname => $inp_err)
604. {
605. $error .= $inpname.':'.$inp_err."\n";
606. }
607. $this->HandleError($error);
608. return false;
609. }
610. return true;
611. }
612.  
613. function CollectRegistrationSubmission(&$formvars)
614. {
615. $formvars['name'] = $this->Sanitize($_POST['name']);
616. $formvars['email'] = $this->Sanitize($_POST['email']);
617. $formvars['username'] = $this->Sanitize($_POST['username']);
618. $formvars['password'] = $this->Sanitize($_POST['password']);
619. }
620.  
621. function SendUserConfirmationEmail(&$formvars)
622. {
623. $mailer = new PHPMailer();
624.  
625. $mailer->CharSet = 'utf-8';
626.  
627. $mailer->AddAddress($formvars['email'],$formvars['name']);
628.  
629. $mailer->Subject = "Your registration with ".$this->sitename;
630.  
631. $mailer->From = $this->GetFromAddress();
632.  
633. $confirmcode = $formvars['confirmcode'];
634.  
635. $confirm_url = $this->GetAbsoluteURLFolder().'/confirmreg.php?code='.$confirmcode;
636.  
637. $mailer->Body ="Hello ".$formvars['name']."\r\n\r\n".
638. "Thanks for your registration with ".$this->sitename."\r\n".
639. "Please click the link below to confirm your registration.\r\n".
640. "$confirm_url\r\n".
641. "\r\n".
642. "Regards,\r\n".
643. "Webmaster\r\n".
644. $this->sitename;
645.  
646. if(!$mailer->Send())
647. {
648. $this->HandleError("Failed sending registration confirmation email.");
649. return false;
650. }
651. return true;
652. }
653. function GetAbsoluteURLFolder()
654. {
655. $scriptFolder = (isset($_SERVER['HTTPS']) && ($_SERVER['HTTPS'] == 'on')) ? 'https://' : 'http://';
656. $scriptFolder .= $_SERVER['HTTP_HOST'] . dirname($_SERVER['REQUEST_URI']);
657. return $scriptFolder;
658. }
659.  
660. function SendAdminIntimationEmail(&$formvars)
661. {
662. if(empty($this->admin_email))
663. {
664. return false;
665. }
666. $mailer = new PHPMailer();
667.  
668. $mailer->CharSet = 'utf-8';
669.  
670. $mailer->AddAddress($this->admin_email);
671.  
672. $mailer->Subject = "New registration: ".$formvars['name'];
673.  
674. $mailer->From = $this->GetFromAddress();
675.  
676. $mailer->Body ="A new user registered at ".$this->sitename."\r\n".
677. "Name: ".$formvars['name']."\r\n".
678. "Email address: ".$formvars['email']."\r\n".
679. "UserName: ".$formvars['username'];
680.  
681. if(!$mailer->Send())
682. {
683. return false;
684. }
685. return true;
686. }
687.  
688. function SaveToDatabase(&$formvars)
689. {
690. if(!$this->DBLogin())
691. {
692. $this->HandleError("Database login failed!");
693. return false;
694. }
695. if(!$this->Ensuretable())
696. {
697. return false;
698. }
699. if(!$this->IsFieldUnique($formvars,'email'))
700. {
701. $this->HandleError("This email is already registered");
702. return false;
703. }
704.  
705. if(!$this->IsFieldUnique($formvars,'username'))
706. {
707. $this->HandleError("This UserName is already used. Please try another username");
708. return false;
709. }
710. if(!$this->InsertIntoDB($formvars))
711. {
712. $this->HandleError("Inserting to Database failed!");
713. return false;
714. }
715. return true;
716. }
717.  
718. function IsFieldUnique($formvars,$fieldname)
719. {
720. $field_val = $this->SanitizeForSQL($formvars[$fieldname]);
721. $qry = "select username from $this->tablename where $fieldname='".$field_val."'";
722. $result = mysql_query($qry,$this->connection);
723. if($result && mysql_num_rows($result) > 0)
724. {
725. return false;
726. }
727. return true;
728. }
729.  
730. function DBLogin()
731. {
732.  
733. $this->connection = mysql_connect($this->localhost,$this->username,$this->pwd);
734.  
735. if(!$this->connection)
736. {
737. $this->HandleDBError("Database Login failed! Please make sure that the DB login credentials provided are correct");
738. return false;
739. }
740. if(!mysql_select_db($this->database, $this->connection))
741. {
742. $this->HandleDBError('Failed to select database: '.$this->database.' Please make sure that the database name provided is correct');
743. return false;
744. }
745. if(!mysql_query("SET NAMES 'UTF8'",$this->connection))
746. {
747. $this->HandleDBError('Error setting utf8 encoding');
748. return false;
749. }
750. return true;
751. }
752.  
753. function Ensuretable()
754. {
755. $result = mysql_query("SHOW COLUMNS FROM $this->tablename");
756. if(!$result || mysql_num_rows($result) <= 0)
757. {
758. return $this->CreateTable();
759. }
760. return true;
761. }
762.  
763. function CreateTable()
764. {
765. $qry = "Create Table $this->tablename (".
766. "id_user INT NOT NULL AUTO_INCREMENT ,".
767. "name VARCHAR( 128 ) NOT NULL ,".
768. "email VARCHAR( 64 ) NOT NULL ,".
769. "phone_number VARCHAR( 16 ) NOT NULL ,".
770. "username VARCHAR( 16 ) NOT NULL ,".
771. "password VARCHAR( 32 ) NOT NULL ,".
772. "confirmcode VARCHAR(32) ,".
773. "PRIMARY KEY ( id_user )".
774. ")";
775.  
776. if(!mysql_query($qry,$this->connection))
777. {
778. $this->HandleDBError("Error creating the table \nquery was\n $qry");
779. return false;
780. }
781. return true;
782. }
783.  
784. function InsertIntoDB(&$formvars)
785. {
786.  
787. $confirmcode = $this->MakeConfirmationMd5($formvars['email']);
788.  
789. $formvars['confirmcode'] = $confirmcode;
790.  
791. $insert_query = 'insert into '.$this->tablename.'(
792. name,
793. email,
794. username,
795. password,
796. confirmcode
797. )
798. values
799. (
800. "' . $this->SanitizeForSQL($formvars['name']) . '",
801. "' . $this->SanitizeForSQL($formvars['email']) . '",
802. "' . $this->SanitizeForSQL($formvars['username']) . '",
803. "' . md5($formvars['password']) . '",
804. "' . $confirmcode . '"
805. )';
806. if(!mysql_query( $insert_query ,$this->connection))
807. {
808. $this->HandleDBError("Error inserting data to the table\nquery:$insert_query");
809. return false;
810. }
811. return true;
812. }
813. function MakeConfirmationMd5($email)
814. {
815. $randno1 = rand();
816. $randno2 = rand();
817. return md5($email.$this->rand_key.$randno1.''.$randno2);
818. }
819. function SanitizeForSQL($str)
820. {
821. if( function_exists( "mysql_real_escape_string" ) )
822. {
823. $ret_str = mysql_real_escape_string( $str );
824. }
825. else
826. {
827. $ret_str = addslashes( $str );
828. }
829. return $ret_str;
830. }
831.  
832. /*
833. Sanitize() function removes any potential threat from the
834. data submitted. Prevents email injections or any other hacker attempts.
835. if $remove_nl is true, newline chracters are removed from the input.
836. */
837. function Sanitize($str,$remove_nl=true)
838. {
839. $str = $this->StripSlashes($str);
840.  
841. if($remove_nl)
842. {
843. $injections = array('/(\n+)/i',
844. '/(\r+)/i',
845. '/(\t+)/i',
846. '/(%0A+)/i',
847. '/(%0D+)/i',
848. '/(%08+)/i',
849. '/(%09+)/i'
850. );
851. $str = preg_replace($injections,'',$str);
852. }
853.  
854. return $str;
855. }
856. function StripSlashes($str)
857. {
858. if(get_magic_quotes_gpc())
859. {
860. $str = stripslashes($str);
861. }
862. return $str;
863. }
864. }
865. ?>