Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 7 years ago.
Improve this question
The below code is all on one file named 'useraccount.php' on my website. As it currently exists, this page has a form for the logged in administrator to add a new user account, as well as a table below that displays existing accounts already in the database. I am wanting to add a 'delete' button for each existing account, and have tried various ways of incorporating this, but have yet to find a solution that works. If anyone can share some expertise with me I would greatly appreciate it. I need to know how to setup the button to carry over the database row number variable so that the php can recognize which row to delete, as well as where and how to safely execute the delete query in the php. Notes are within the code that show my partial attempt.
Current PHP Code
<?php
require("connect.php");
if(empty($_SESSION['user']) || empty($_SESSION['adminaccess']))
{
header("Location: login.php");
die("Redirecting to login.php");
}
//BEGIN DATA FETCHING TO DISPLAY CURRENT USERS
$query = "
SELECT
id,
username,
display_name,
email,
admin
FROM users
";
try
{
$stmt = $db->prepare($query);
$stmt->execute();
}
catch(PDOException $ex)
{
die("Failed to run query: " . $ex->getMessage());
}
$rows = $stmt->fetchAll();
//END DATA FETCHING TO DISPLAY CURRENT USERS
//BEGIN USER DELETE FUNCTION
//IM NOT SURE HOW TO SET THIS UP, OR IF IT'S EVEN IN THE RIGHT PLACE
$id = isset($_POST['id'])?intval($_POST['id']):0;
if($id>0) { $query = "DELETE FROM users WHERE id = '$id'";
}
//END USER DELETE FUNCTION
//BEGIN FOR ADD NEW USER
if(!empty($_POST))
{
if(empty($_POST['username']))
{
header("Location: useraccounts.php");
die("Redirecting to: useraccounts.php");
$error = "Please enter a username.";
}
if(empty($_POST['password']))
{
header("Location: useraccounts.php");
die("Redirecting to: useraccounts.php");
$error = "Please enter a password.";
}
if(!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL))
{
header("Location: useraccounts.php");
die("Redirecting to: useraccounts.php");
$error = "Invalid E-Mail Address";
}
$query = "
SELECT
1
FROM users
WHERE
username = :username
";
$query_params = array(
':username' => $_POST['username']
);
try
{
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex)
{
die("Failed to run query: " . $ex->getMessage());
}
$row = $stmt->fetch();
if($row)
{
header("Location: useraccounts.php");
die("Redirecting to: useraccounts.php");
$error = "This username is already in use";
}
$query = "
SELECT
1
FROM users
WHERE
email = :email
";
$query_params = array(
':email' => $_POST['email']
);
try
{
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex)
{
die("Failed to run query: " . $ex->getMessage());
}
$row = $stmt->fetch();
if($row)
{
header("Location: useraccounts.php");
die("Redirecting to: useraccounts.php");
$error = "This email address is already registered";
}
$query = "
INSERT INTO users (
username,
display_name,
password,
salt,
email,
admin
) VALUES (
:username,
:display_name,
:password,
:salt,
:email,
:admin
)
";
$salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647));
$password = hash('sha256', $_POST['password'] . $salt);
for($round = 0; $round < 65536; $round++)
{
$password = hash('sha256', $password . $salt);
}
$query_params = array(
':username' => $_POST['username'],
':display_name' => $_POST['display_name'],
':password' => $password,
':salt' => $salt,
':email' => $_POST['email'],
':admin' => $_POST['admin']
);
try
{
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex)
{
die("Failed to run query: " . $ex->getMessage());
}
header("Location: useraccounts.php");
die("Redirecting to useraccounts.php");
}
?>
Table that Displays 'Add New Account' Form
<h3>Add an Account</h3>
<form action="useraccounts.php" method="post">
<p class="label">Username:</p>
<input class="text" type="text" name="username" value="" />
<p class="label">Display Name(s):</p>
<input class="text" type="text" name="display_name" value="" />
<p class="label">E-Mail:</p>
<input class="text" type="text" name="email" value="" />
<p class="label">Password:</p>
<input class="text" type="password" name="password" value="" />
<p class="label">Admin Account?</p>
<input type="radio" id="r1" name="admin" value="0" checked="checked" /><label for="r1"><span></span>No</label>
<input type="radio" id="r2" name="admin" value="1" /><label for="r2"><span></span>Yes</label></br>
<p class="error"><?php echo $error; ?></p>
<button class="contact" type="submit" name="submit">Create Account</button>
</form>
Table that Displays Existing User Account
<h3>Current Accounts List</h3>
<table class="parent-accounts">
<tr>
<th><h4>ID</h4></th>
<th><h4>Username</h4></th>
<th><h4>Display Name(s)</h4></th>
<th><h4>E-Mail Address</h4></th>
<th><h4>Admin</h4></th>
</tr>
<?php foreach($rows as $row): ?>
<form action="useraccounts.php?id=<?php echo $id['id'];?>" method="post">
<tr>
<td><?php echo $row['id']; ?></td>
<td><?php echo htmlentities($row['username'], ENT_QUOTES, 'UTF-8'); ?></td>
<td><?php echo htmlentities($row['display_name'], ENT_QUOTES, 'UTF-8'); ?></td>
<td><?php echo htmlentities($row['email'], ENT_QUOTES, 'UTF-8'); ?></td>
<td><?php echo htmlentities($row['admin'], ENT_QUOTES, 'UTF-8'); ?></td>
<td><input type="submit" name="submit" value="Delete User" /></td>
</tr>
</form>
<?php endforeach; ?>
</table>
'id' is posted by the form, and your Delete User Query seems fine. You need to execute the query. And maybe make sure you handle the deleting request before you fetching current users.
<?php
require("connect.php");
if(empty($_SESSION['user']) || empty($_SESSION['adminaccess']))
{
header("Location: login.php");
die("Redirecting to login.php");
}
//BEGIN USER DELETE FUNCTION
//IM NOT SURE HOW TO SET THIS UP, OR IF IT'S EVEN IN THE RIGHT PLACE
if(isset($_SESSION['adminaccess'])) //if user has admin privilege
{
$id = isset($_POST['id'])?intval($_POST['id']):0;
if($id>0) //if valid id for deleting is posted
{
$query = 'DELETE FROM users WHERE id = '.$id;
echo '<script>alert("Query: '.$query.'");</script>'; //debug line, remove this later
try
{
$stmt = $db->prepare($query);
$stmt->execute();
}
catch(PDOException $ex)
{
die("Failed to run query: " . $ex->getMessage());
}
}
else
{
echo '<script>alert("Invalid ID: '.$id.'");</script>'; //debug line, remove this later
}
}
else
{
echo '<script>alert("No admin access privilege.");</script>'; //debug line, remove this later
}
//END USER DELETE FUNCTION
//BEGIN DATA FETCHING TO DISPLAY CURRENT USERS
$query = "
SELECT
id,
username,
display_name,
email,
admin
FROM users
";
try
{
$stmt = $db->prepare($query);
$stmt->execute();
}
catch(PDOException $ex)
{
die("Failed to run query: " . $ex->getMessage());
}
$rows = $stmt->fetchAll();
//END DATA FETCHING TO DISPLAY CURRENT USERS
..........
?>
Related
I have problem in my code it's login with any username and password without verify it from the database more explain below
I have 2 tables one for usernames and one for passwords, I trying to make my code like this
users table it's have: id, username, phone, email
password table it's have: id, userid, password
every password connected with id of the user by user_id field
I want my code work like this
if username, email or phone in one row equal to the password have the same user_id the same as in the row make login
Example
users table: 1, eddy, edd#example.com, 4493838
passwords table: 1, 1(please note: it's user id from users table), alfa
<?php
$servername = "localhost";$username = "username";$password = "password";$dbname = "myDBPDO";
if(!empty($_SESSION['LoggedIn']) && !empty($_SESSION['Username']))
{?>
Welcome <? echo $_SESSION['users_id'] ?>
<?php
}
elseif(!empty($_POST['various-login']) && !empty($_POST['password']))
{
// PDO
try {
$conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
// Database
$stmt = $conn->prepare("SELECT id as users_id, username, email, phone FROM users");
$stmt->execute();
$stmt = $conn->prepare("SELECT id as passwords_id, user_id, password FROM passwords");
$stmt->execute();
$userRow=$stmt->fetch(PDO::FETCH_ASSOC);
$various_login= $_POST['various-login'] == $userRow['email'] or $userRow['phone'];
$user_and_password = $userRow['users_id'] === $userRow['user_id'];
$password = $_POST['password'] == $user_and_password;
if($stmt->rowCount() == 1)
{
$email = $userRow['email'];
$_SESSION['Username'] = $username;
$_SESSION['email'] = $email;
$_SESSION['LoggedIn'] = 1;
echo "<h1>Success</h1>";
echo $email;
}
else
{
echo "<h1>Error</h1>";
echo "<p>Sorry, your account could not be found. Please click here to try again.</p>";
}}
catch(PDOException $e) {
echo "Error: " . $e->getMessage();
}
$conn = null;
} else {?>
<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">
Email/Phone: <input type="text" name="various-login" value="<?php echo $website;?>">
<br><br>
Password: <input type="password" name="password">
<br><br>
<input type="submit" name="submit" value="<?php echo $lang['NEXT']; ?>">
</form>
<?php}?>
Use this : (Not secure for SQLi)
<?php
$servername = "localhost";$username = "username";$password = "password";$dbname = "myDBPDO";
if(!empty($_SESSION['LoggedIn']) && !empty($_SESSION['Username']))
{
echo "Welcome ".$_SESSION['Username'];
}
elseif(!empty($_POST['various-login']) && !empty($_POST['password']))
{
try {
$conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
// Database
$stmt = $conn->prepare("SELECT id, username, email, phone FROM users WHERE lower(username) = '".strtolower($_POST['various-login'])."' OR lower(email) = '".strtolower($_POST['various-login'])."' OR phone = '".strtolower($_POST['various-login'])."'");
$stmt->execute();
$userdata = $stmt->fetch(PDO::FETCH_ASSOC);
if(!empty($userdata["id"]))
{
$stmt = $conn->prepare("SELECT id, user_id, password FROM passwords WHERE user_id = '".$userdata["id"]."' AND password = '".$_POST["password"]."'");
$stmt->execute();
$password_data = $stmt->fetch(PDO::FETCH_ASSOC);
if(!empty($password_data["id"]))
{
$_SESSION['users_id'] = $userdata["id"]
$_SESSION['Username'] = $userdata["username"];
$_SESSION['email'] = $userdata["email"];
$_SESSION['LoggedIn'] = 1;
echo "<h1>Success</h1>";
echo $email;
}
else
{
echo "<h1>Error</h1>";
echo "<p>Sorry, your account password is not valid. Please click here to try again.</p>";
}
}else{
echo "<h1>Error</h1>";
echo "<p>Sorry, your account could not be found. Please click here to try again.</p>";
}
} catch(PDOException $e) {
echo "Error: " . $e->getMessage();
}
$conn = null;
} else {?>
<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">
Email/Phone:
<input type="text" name="various-login" value="<?php echo $website;?>">
<br><br>
Password: <input type="password" name="password">
<br><br>
<input type="submit" name="submit" value="<?php echo $lang['NEXT']; ?>">
</form>
<?php } ?>
I'd highly recommend using a join so it's 1 SQL statement, as well as a sanitizing and validating your input.
SELECT users.*
FROM users
JOIN passwords ON passwords.user_id = users.id
WHERE (users.email = :email
OR users.phone = :phone)
AND passwords.password = :password
Here's the link to the documentation on prepared statements. I suggest you re-read that to understand why your existing code won't work (hint: you're selecting all records). http://php.net/manual/en/pdo.prepared-statements.php
Create your PDO Connection
Create your SQL
Bind your parameters
Execute the query
If you have a row, you found the user.
I'm sure you're already aware of the issues with using plain text passwords, and have assumed this is an assignment and not something used in production.
I'm creating a user management system. I can edit users. I can create users. I can verify that the email is in the correct format. However, my issue is with verifying if the same email exists in the database. I keep getting this error: Ouch, failed to run query: SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicata du champ 'Markr#fun.com' pour la clef 'email'. This code is below. The first being the form that's used store info to the database. The second being the script that's run once the submit button is pressed.
<?php
require("../scripts/connect.php");
if(empty($_SESSION['user']))
{
header("Location: ../hound/login.php");
die("Redirecting to ../hound/login.php");
}
$query_parm = array(
':id' => $_GET['id']
);
$query = "
SELECT
*
FROM users
WHERE
id = :id
";
try
{
$stmt = $db->prepare($query);
$stmt->execute($query_parm);
}
catch (PDOException $ex)
{
die("Failed to run query: " . $ex->getMessage());
}
$rows = $stmt->fetchAll();
?>
<form action="../scripts/edit_users.php" method="post">
<?php foreach($rows as $row): ?>
Username:<br />
<b><?php echo htmlentities($row['username'], ENT_QUOTES, 'UTF-8'); ?></b>
<br /><br />
<input type="hidden" name="id" value="<?php htmlentities($row['id'], ENT_QUOTES, 'UTF-8'); ?>">
First Name:<br />
<input type="text" name="first_name" value="<?php echo `enter code he htmlentities($row['first_name'], ENT_QUOTES, 'UTF-8'); ?>" />
<br /><br />
Last Name:<br />
<input type="text" name="last_name" value="<?php echo htmlentities ($row['last_name'], ENT_QUOTES, 'UTF-8'); ?>" />
<br /><br />
E-Mail Address:<br />
<input type="text" name="email" value="<?php echo htmlentities($row ['email'],ENT_QUOTES,'UTF-8'); ?>" />
<br /><br />
Password:<br />
<input type="password" name="password" value="" /><br />
<br /><br />
<input type="submit" value="Update User" />
Back<br />
<?php endforeach; ?>
</form>
This is the script that's run when submit is pressed.
<?php
require("common.php");
if(empty($_SESSION['user']))
{
header("Location: ../hound/login.php");
die("Redirecting to ../hound/login.php");
}
if(!empty($_POST))
{
if (!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL))
{
die("Please enter a valid email address...");
}
if($_POST['email'] !=$_POST['email'])
{
$query_email = "
SELECT email
from users
where
email = :email
";
$query_goes = array(
':email' => $_POST['email']
);
try
{
$stmt = $db->prepare($query_email);
$result = $stmt->execute($query_goes);
}
catch (PDOException $ex)
{
die("Failed to run query: " . $ex->getMessage());
}
$row = $stmt->fetch();
if($row)
{
die("That email is already in use...");
}
}
}
$array_value = array(
':email' => $_POST['email'],
':first_name' => $_POST['first_name'],
':last_name' => $_POST['last_name'],
':id' => $_POST['id']
);
$query = "UPDATE users
SET
email = :email,
first_name = :first_name,
last_name = :last_name
WHERE
id = :id
";
try
{
$stmt = $db->prepare($query);
$result = $stmt->execute($array_value);
}
catch(PDOException $ex)
{
die("Ouch, failed to run query: " . $ex->getMessage());
}
header("Location: users.php");
die("Redirecting to users.php");
?>
Exactly what are you trying to do here?
if($_POST['email'] !=$_POST['email'])
That's an impossible condition. "If this thing is not itself".
So your check to see if an email address exists NEVER gets executed, then you blindly try to insert it anyways.
As well, this is NOT how you do this sort of check. Even if the code was properly structured, there's NO guarantee that some parallel script won't be able to insert that very same email address in the (short) interval between this script doing its select and then the insert.
You should do an unconditional insert, and check if it succeeded, e.g.
if ($_POST) {
$sql = "INSERT ..."
try {
...execute...
catch (PDOException $e) {
if ($e->getCode() == 1062) // duplicate key violation
... email is a dupe
}
}
}
It is probably due to if($_POST['email'] !=$_POST['email']) line since this will always evaluate to False thus it will not even check if the email already exists in your DB.
Anytime i try to log in from just /login it submits and redirects me to the home page as it so post to but doesn't store the session even though the user/pass combo was correct but if i go to /private and get redirected back to /login and login it store the session
login.php
require("includes/connection.php");
$page ='/login.php';
require("includes/logs/log.php");
require("includes/update_session.php");
if(!empty($_SESSION['user'])) {
echo '<script>window.location = "/index.php";</script>';
die("Redirecting to index.php");
}
$submitted_username = '';
if(!empty($_POST)) {
$query = "SELECT id,username,password,salt,email
FROM users
WHERE username = :username";
$query_params = array(':username' => $_POST['username']);
try {
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex) {
die("Failed to run query: " . $ex->getMessage());
}
$login_ok = false;
$row = $stmt->fetch();
if($row) {
$query = "INSERT INTO CSD_LOGIN_ATTEMPTS (id) VALUES (:id)";
$query_params = array(':id' => $row["id"]);
try {
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex) {
die("Failed to run query: " . $ex->getMessage());
}
$check_password = hash('sha256', $_POST['password'] . $row['salt']);
for($round = 0; $round < 65536; $round++) {
$check_password = hash('sha256', $check_password . $row['salt']);
}
if($check_password === $row['password']) {
$login_ok = true;
}
}
if($login_ok) {
unset($row['salt']);
unset($row['password']);
$_SESSION['user'] = $row;
session_write_close();
echo '<script>window.location="/index.php";</script>';
die("Redirecting to: index.php");
} else {
print("Login Failed.");
$submitted_username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8');
}
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<?php
require("includes/scripts.php");
?>
</head>
<body><center>
<div id="pagewidth">
<?php
require("includes/header.php");
?>
<div id="content">
<section class="row">
<h1>Login</h1>
<form action="login.php" method="post" class='form'>
Username:<br />
<input style='text-align: center' type="text" name="username" value="<?php echo $submitted_username; ?>" />
<br /><br />
Password:<br />
<input style='text-align: center' type="password" name="password" value="" />
<br /><br />
<button type="submit" value="Login" class='btnSmall grey'>Login</button>
</form><br>
Register
</section>
<section class="row grey">
</section>
</div>
<?php
include("includes/footer.php");
?>
</div>
</center></body>
</html>
As others have stated, you have
if(!empty($_SESSION['user'])) {
basically stating, IF the user variable is NOT EMPTY (they ARE logged in), redirect to login. You probably want to have the below instead.
if(empty($_SESSION['user'])) {
You want to ask someone to login only if they are not logged in, right?
I'm making a community site thing.
I'm currently making the option to change your password.
But, when I try to use it, it won't work..
Why is this? How do I fix it?
My code:
Settings.php (Where I change the pass)
PHP:
<?php
error_reporting(E_ALL);
include_once('includes/connection.php');
include_once('includes/user.php');
if(isset($_SESSION['logged_in'])){
if(isset($_POST['oldpass']) and isset($_POST['newpass'])){
$name = $_COOKIE['name'];
$oldpass = md5($_POST['oldpass']);
$newpass = md5($_POST['newpass']);
$query = $pdo->prepare("SELECT * FROM users WHERE username=? AND password=?");
$query->bindValue(1, $name);
$query->bindValue(2, $oldpass);
$query->execute();
$num = $query->rowCount();
if($num==1){
$query = $pdo->prepare("UPDATE users SET password=? WHERE username=?");
$query->bindValue(1, $newpass);
$query->bindValue(2, $name);
$result = $query->execute();
if($result==1){
header('Location: logout.php');
}else{
echo "Something went wrong.";
}
}
}
}
?>
HTML:
<html>
<head>
<title>MackNet</title>
<link rel="stylesheet" type="text/css" href="assets/style.css">
</head>
<body>
<div id="main">
<?php
$name = $_COOKIE['name'];
$pass = $_COOKIE['pass'];
$user = new User();
$row = $user->fetch_all($name, $pass);
?>
<div id="toolbar">
<?php
echo " <a href='main.php'>Home</a> ";
echo " <a href='logout.php'>Logout</a> ";
echo " <a href='settings.php'>Settings</a> ";
if($row['group'] == 2){
echo " <a href='users.php'>Manage Users</a> ";
}
?>
<hr>
</div>
<form action="settings.php" method="POST">
<input type="password" name="oldpass" placeholder="Old Password">
<input type="password" name="newpass" placeholder="New Password">
<input type="submit" value="Change password">
</form>
</div>
</body>
</html>
If you need any more code, tell me.
Thanks // Mackan90095
What error do you get? Or does it never get inside the if($num==1)?
Maybe its smart to retrieve the users id and use that to change the password. Imagine two users having the same username, that would change both their passwords.
I would also include a password confirmation field to make sure they enter the new password twice (just as a precaution).
Useful site: http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers
Why dont you try using try catch to see the error and replace if($result==1) with if($result)
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
try{
$query = $pdo->prepare("SELECT * FROM users WHERE username=? AND password=?");
$query->bindValue(1, $name);
$query->bindValue(2, $oldpass);
$query->execute();
$num = $query->rowCount();
if($num==1){
$query = $pdo->prepare("UPDATE users SET password=? WHERE username=?");
$query->bindValue(1, $newpass);
$query->bindValue(2, $name);
$result = $query->execute();
if($result)
header('Location: logout.php');
}
}
catch (PDOException $e) {
echo "DataBase Error: ".$e->getMessage();
}
catch (Exception $e) {
echo "General Error: ".$e->getMessage();
}
You have a beautiful code, but I've seen only this:
change
<form action="settings.php" method="POST">
to
<form action="Settings.php" method="POST">
Settings.php is capitalized?
I have recently made a login and register script which works fine but I want it to more secure from spammers and I was wondering if anyone know how to make an email verification system.
How could I make this script add email verification to it. I hope this made sense
<?php
require("php/bp-connection.php");
if(!empty($_POST))
{
if(empty($_POST['username']))
{
die("Please enter a username.");
}
if(empty($_POST['password']))
{
die("Please enter a password.");
}
if(!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL))
{
die("Invalid E-Mail Address");
}
$query = "
SELECT
1
FROM users
WHERE
username = :username
";
$query_params = array(
':username' => $_POST['username']
);
try
{
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex)
{
die("Failed to run query: " . $ex->getMessage());
}
$row = $stmt->fetch();
if($row)
{
die("This username is already in use");
}
$query = "
SELECT
1
FROM users
WHERE
email = :email
";
$query_params = array(
':email' => $_POST['email']
);
try
{
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex)
{
die("Failed to run query: " . $ex->getMessage());
}
$row = $stmt->fetch();
if($row)
{
die("This email address is already registered");
}
$query = "
INSERT INTO users (
username,
password,
salt,
email
) VALUES (
:username,
:password,
:salt,
:email
)
";
$salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647));
$password = hash('sha256', $_POST['password'] . $salt);
for($round = 0; $round < 65536; $round++)
{
$password = hash('sha256', $password . $salt);
}
$query_params = array(
':username' => $_POST['username'],
':password' => $password,
':salt' => $salt,
':email' => $_POST['email']
);
try
{
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex)
{
die("Failed to run query: " . $ex->getMessage());
}
header("Location: login.php");
die("Redirecting to login.php");
}
?>
<html lang="en">
<head>
<title>Register | BinaryPaw</title>
<link rel="shortcut icon" href="favicon.ico" type="icon" />
<link rel="stylesheet" href="css/bp-grid.css" type="text/css" />
<link rel="stylesheet" href="css/bp-styles.css" type="text/css" />
</head>
<body>
<?php
include 'php/bp-siteBar.php';
?>
<div class="container">
<?php
include 'php/bp-sideBar.php';
?>
<div class="span4">
<h1>User Registration</h1>
<form action="register.php" method="post">
<div class="space1">
<label>Username</label>
</div>
<div class="space2">
<input type="text" name="username" class="username" value="" />
</div>
<div class="space1">
<label>Email</label>
</div>
<div class="space2">
<input type="text" name="email" class="email" value="" />
</div>
<div class="space1">
<label>Password</label>
</div>
<div class="space2">
<input type="password" name="password" class="password" value="" />
</div>
<div class="space3">
<input type="submit" class="submit" value="Register" />
</div>
</form>
</div>
<div class="space3"></div>
<div class="span10" id="footer">
<h6>Created by Mathew Berry ©2013 </h6>
</div>
</div>
</body>
its simple send a code to user email address and create a page to verify the code and if code verify then register the user
if(isset($_POST['register']))
{
$email_id=$_POST['email'];
$pass=$_POST['password'];
$code=substr(md5(mt_rand()),0,15);
mysql_connect('localhost','root','');
mysql_select_db('sample');
$insert=mysql_query("insert into verify values('','$email','$pass','$code')");
$db_id=mysql_insert_id();
$message = "Your Activation Code is ".$code."";
$to=$email;
$subject="Activation Code For Talkerscode.com";
$from = 'your email';
$body='Your Activation Code is '.$code.' Please Click On This link Verify.php?id='.$db_id.'&code='.$code.'to activate your account.';
$headers = "From:".$from;
mail($to,$subject,$body,$headers);
echo "An Activation Code Is Sent To You Check You Emails";
}
to verify the code
if(isset($_GET['id']) && isset($_GET['code']))
{
$id=$_GET['id'];
$code=$_GET['id'];
mysql_connect('localhost','root','');
mysql_select_db('sample');
$select=mysql_query("select email,password from verify where id='$id' and code='$code'");
if(mysql_num_rows($select)==1)
{
while($row=mysql_fetch_array($select))
{
$email=$row['email'];
$password=$row['password'];
}
$insert_user=mysql_query("insert into verified_user values('','$email','$password')");
$delete=mysql_query("delete from verify where id='$id' and code='$code'");
}
}
its simple send a code to user email address and create a page to verify the code and if code verify then register the user
if(isset($_POST['register']))
{
$email_id=$_POST['email'];
$pass=$_POST['password'];
$code=substr(md5(mt_rand()),0,15);
mysql_connect('localhost','root','');
mysql_select_db('sample');
$insert=mysql_query("insert into verify values('','$email','$pass','$code')");
$db_id=mysql_insert_id();
$message = "Your Activation Code is ".$code."";
$to=$email;
$subject="Activation Code For Talkerscode.com";
$from = 'your email';
$body='Your Activation Code is '.$code.' Please Click On This link Verify.php?id='.$db_id.'&code='.$code.'to activate your account.';
$headers = "From:".$from;
mail($to,$subject,$body,$headers);
echo "An Activation Code Is Sent To You Check You Emails";
}
to verify the code
if(isset($_GET['id']) && isset($_GET['code']))
{
$id=$_GET['id'];
$code=$_GET['id'];
mysql_connect('localhost','root','');
mysql_select_db('sample');
$select=mysql_query("select email,password from verify where id='$id' and code='$code'");
if(mysql_num_rows($select)==1)
{
while($row=mysql_fetch_array($select))
{
$email=$row['email'];
$password=$row['password'];
}
$insert_user=mysql_query("insert into verified_user values('','$email','$password')");
$delete=mysql_query("delete from verify where id='$id' and code='$code'");
}
}
complete tutorial here http://talkerscode.com/webtricks/account-verification-system-through-email-using-php.php
You can add captcha to prevent from spammer on your form. It is more secure than anything else.