<?php
include("DBconnect.php");
//Retrieving data from html form
$username =$_POST[ 'username' ];
$email =$_POST [ 'email' ] ;
$status='verify';
// A salt is randomly generated here to protect again brute force attacks
// and rainbow table attacks. The following statement generates a hex
// representation of an 8 byte salt. Representing this in hex provides
// no additional security, but makes it easier for humans to read.
// For more information:
// http://en.wikipedia.org/wiki/Salt_%28cryptography%29
// http://en.wikipedia.org/wiki/Brute-force_attack
// http://en.wikipedia.org/wiki/Rainbow_table
$salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647));
// This hashes the password with the salt so that it can be stored securely
// in your database. The output of this next statement is a 64 byte hex
// string representing the 32 byte sha256 hash of the password. The original
// password cannot be recovered from the hash. For more information:
// http://en.wikipedia.org/wiki/Cryptographic_hash_function
$password = hash('sha256', $_POST['pass'] . $salt);
// Next we hash the hash value 65536 more times. The purpose of this is to
// protect against brute force attacks. Now an attacker must compute the hash 65537
// times for each guess they make against a password, whereas if the password
// were hashed only once the attacker would have been able to make 65537 different
// guesses in the same amount of time instead of only one.
for($round = 0; $round < 65536; $round++)
{
$password = hash('sha256', $password . $salt);
}
//for mysql injection (security reasons)
//$username = mysql_real_escape_string($username);
//$email = mysql_real_escape_string($email);
//$password = mysql_real_escape_string($password);
if ($_POST['form_submitted'] == '1')
{
##User is registering, insert data until ;we can activate it
$activationKey = mt_rand() . mt_rand() . mt_rand() . mt_rand() . mt_rand();
// inserting data into database
$qry="insert into users (username,passwordsalt,email,activationkey,status) values ('$username','$password','$salt','$email','$activationKey','$status')";
$register = mysql_query($qry);
if (!mysql_query($register))
{
die('Error: '. mysql_error());
}
echo "An email has been sent to $email with an activation key. Please check your mail to complete registration.";
##Send activation Email
$to = $email;
$subject = "Registration";
$message = "Welcome to our website!\r\rYou, or someone using your email address, has completed registration . You can complete registration by clicking the following link:http://localhost:82/Authentication%20system/register.php?$activationKey\r\rIf this is an error, ignore this email and you will be removed from our mailing list.\r\rRegards,\ YOURWEBSITE.com Team";
$headers = 'From: verma.shikha1991@gmail.com' . "\r\n" .
'Reply-To: verma.shikha1991@gmail.com' . "\r\n" .
'MIME-Version: 1.0' . "\r\n" .
'Content-type: text/html; charset=iso-8859-1' . "\r\n" .
'X-Mailer: PHP/' . phpversion();
if(mail($to, $subject, $message, $headers))
echo "Email sent";
else
echo "Email sending failed";
}
else
{
##User isn't registering, check verify code and change activation code to null, status to activated on success
$queryString = $_SERVER['QUERY_STRING'];
$result = mysql_query("SELECT * FROM users");
while($row = mysql_fetch_array($result))
{
if ($queryString == $row["activationkey"])
{
echo "Congratulations!" . $row["username"] . " is now the proud new owner of account.";
if (!mysql_query("UPDATE users SET activationkey = '', status='activated' WHERE (id = $row[id])"))
{
die('Error: '.mysql_error());
}
}
}
}
echo "successful registration";
?>
Shikha_1 -4 Light Poster
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.