registration.php
<!<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Register</title>
</head>
<body>
<fieldset>
<legend>Registration</legend>
<form name="register" action="register.php" method="post">
<table width="510" border="0">
<tr>
<td colspan="2"><p><strong>Registration Form</strong></p></td>
</tr>
<tr>
<td>Username:</td>
<td><input type="text" name="username" maxlength="20" /></td>
</tr>
<tr>
<td>Password:</td>
<td><input type="password" name="password" /></td>
</tr>
<tr>
<td>Confirm Password:</td>
<td><input type="password" name="password2" /></td>
</tr>
<tr>
<td>Email:</td>
<td><input type="text" name="email" id="email" /></td>
</tr>
<tr>
<td><input type="hidden" name="formsubmitted" value="true"/> </td>
</tr>
<tr>
<td> </td>
<td><input type="submit" value="Register" /></td>
</tr>
</table>
</form>
<div>
if already registered then:
<a href="login.html"> login</a> </div>
</fieldset>
</body>
registration.php
<?php
include("DBconnect.php");
$username =$_POST[ 'username' ];
$password=$_POST[ 'password' ];
$con_pass=$_POST['password2'];
$email =$_POST [ 'email' ] ;
$status='verify';
$r1='/[A-Z]/'; //Uppercase
$r2='/[a-z]/'; //lowercase
$r3='/[!@#$%^&*()\-_=+{};:,<.>]/'; // whatever you mean by 'special char'
$r4='/[0-9]/'; //numbers
if (isset($_POST['formsubmitted']))
{
//username validation
if(empty($_POST['username']))
{
die("Please enter a username.");
}
$u="select count(*) as 'countuser' from users where username='"+$username+ "'";
$result = mysql_query($u);
while ($row = mysql_fetch_array($result))
{
$count= $row[countuser];
if( $count>0)
{
die("username already exist");
}
}
//password validation
if(empty($_POST['password']))
{
die("Please enter a password.");
}
else
{
if((preg_match_all($r1,$password, $o)<1) &(preg_match_all($r2,$password, $o)<1)&(preg_match_all($r3,$password, $o)<1)&(preg_match_all($r4,$password, $o)<1)&(strlen($password)<8))
die("there should be atleast one Uppercaseletter,one lowercase letter,one special character,one digit &length should be greater than 8");
}
//password matching validation
if($_POST['password']!=$_POST['password2'])
{
die("password do not match");
}
//email validation
if(empty($_POST['email']))
{
die("Please Enter your Email");
}
if (!preg_match("/^([a-zA-Z0-9])+([a-zA-Z0-9\._-])*@([a-zA-Z0-9_-])+([a-zA-Z0-9\._-]+)+$/", $_POST['email']))
{
//regular expression for email validation
//$Email = $_POST['email'];
die( "Your Email Address is invalid ") ;
}
$e="select count(*) as 'countemail' from users where email='"+$email+ "'";
$r = mysql_query($e);
while ($row = mysql_fetch_array($r))
{
$c=$row[countemail];
if($c>0)
{
die("email already exist");
}
}
}
$salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647));
$password = hash('sha256', $_POST['password'] . $salt);
for($round = 0; $round < 65536; $round++)
{
$password = hash('sha256', $password . $salt);
}
$activationKey = mt_rand() . mt_rand() . mt_rand() . mt_rand() . mt_rand();
$qry="insert into users (username,password,salt,email,activationkey,status) values ('$username','$password','$salt','$email','$activationKey','$status')";
$register = mysql_query($qry);
if (!$register)
{
echo "error 1";;
}
echo "successful registration";
?>
<a href="login.html"> login</a>
login.html
<html>
<head>
<title>
login
</title>
</head>
<body>
<fieldset>
<legend title=login>login</legend>
<form action="login.php" method="post">
Username:<br />
<input type="text" name="username" value="" />
<br /><br />
Password:<br />
<input type="password" name="password" value="" />
<br /><br />
<input type="submit" value="Login" />
</form>
</fieldset>
<a href="register.html">Register</a>
<a href="forgotpassword.php">Forgot Password</a>
</body>
</html>
***
login.php***
<?php
require("DBconnect.php");
$username =$_POST[ 'username' ];
$password=$_POST[ 'password' ];
if(!empty($_POST))
{
// This query retreives the user's information from the database using
// their username.
$query = " SELECT id,username,password,salt,email FROM users WHERE username = '"+$username+ "'";
$result = mysql_query($query);
$row = mysql_fetch_array($result);
if($row)
{
// Using the password submitted by the user and the salt stored in the database,
// we now check to see whether the passwords match by hashing the submitted password
// and comparing it to the hashed version already stored in the database.
$check_password = hash('sha256', $_POST['password'] . $row['salt']);
for($round = 0; $round < 65536; $round++)
{
$check_password = hash('sha256', $check_password . $row['salt']);
}
if($check_password == $row['password'])
{
// If they do, then we flip this to true
$login_ok = true;
}
}
// If the user logged in successfully, then we send them to the private members-only page
// Otherwise, we display a login failed message and show the login form again
if($login_ok)
{
// Here I am preparing to store the $row array into the $_SESSION by
// removing the salt and password values from it. Although $_SESSION is
// stored on the server-side, there is no reason to store sensitive values
// in it unless you have to. Thus, it is best practice to remove these
// sensitive values first.
unset($row['salt']);
unset($row['password']);
// This stores the user's data into the session at the index 'user'.
// We will check this index on the private members-only page to determine whether
// or not the user is logged in. We can also use it to retrieve
// the user's details.
$_SESSION['user'] = $row;
// Redirect the user to the private members-only page.
header("Location: private.php");
die("Redirecting to: private.php");
}
else
{
// Tell the user they failed
print("Login Failed.");
// Show them their username again so all they have to do is enter a new
// password. The use of htmlentities prevents XSS attacks. You should
// always use htmlentities on user submitted values before displaying them
// to any users (including the user that submitted them). For more information:
// http://en.wikipedia.org/wiki/XSS_attack
$username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8');
}
}
?>
private.php
<?php
// First we execute our common code to connection to the database and start the session
require("DBconnect.php");
// At the top of the page we check to see whether the user is logged in or not
if(empty($_SESSION['user']))
{
// If they are not, we redirect them to the login page.
header("Location: login.php");
// Remember that this die statement is absolutely critical. Without it,
// people can view your members-only content without logging in.
die("Redirecting to login.php");
}
// Everything below this point in the file is secured by the login system
// We can display the user's username to them by reading it from the session array. Remember that because
// a username is user submitted content we must use htmlentities on it before displaying it to the user.
?>
Hello <?php echo htmlentities($_SESSION['user']['username'], ENT_QUOTES, 'UTF-8'); ?>, secret content!<br />
<a href="memberlist.php">Memberlist</a><br />
<a href="edit_account.php">Edit Account</a><br />
<a href="logout.php">Logout</a>
please tell me the suggesstions gor the errors