To verify that the form value that has been entered follows this pattern, I used a function from the functions file that is called checkformat(). It has the following code:
The function itself is very simple, and effective. It makes use of regex to match a pattern with the entered string. I put it in a function because I will be using this code in more than one script. Instead of rewriting the code over and over, it is easier to just put it in a function and call it as and when necessary. The email address that we received from the form is checked and verified by the checkmailformat() function. The function has the following code:
The checkmailformat() function is not very different from the checkformat() function. The only difference is that it has more characters to match, because an email address has one compulsory dot(.) and 'at' (@) character.
In both checks, the $err and $errmsg variables are appropriately set. And based on these settings (the $err boolean value in particular) the next code is executed:
//if there is no errors above, then clean the form values before using in query.
//clean vars before inserting into database
$cuname = mysql_escape_string($_POST['uname']);
$cupass = mysql_escape_string($_POST['upass']);
$cname = mysql_escape_string($_POST['fname']);
$csname = mysql_escape_string($_POST['sname']);
$cemail = mysql_escape_string($_POST['email']);
$clevel = mysql_escape_string($_POST['level']);
The code above continues the checking and cleaning of the form values. This time we escape the form values and transfer them to new variables, all of whom start with a "c." The "c" indicates that the form value has been put through the "cleaner" and is ready to be used in any MySQL query.
Just renaming the form values will not stop any SQL inject attacks or any other kind of attack. Though not entirely safe, using the mysql_escape_string() function makes things a lot more difficult for any attacker. So please make sure to use this function before running a MySQL query. Since there are no errors, the MySQL query is run to insert the new user details:
//insert the data
$query = "INSERT INTO users SET name='" .trim(addslashes($cname)) . "',";
$query .= "sname='" .trim(addslashes($csname)). "', uname= '" .trim(addslashes($cuname)). "',";
$query .= "upass='" .trim(addslashes($cupass)). "', level= '" .trim(addslashes($clevel)). "',";
$query .= "email='" .trim(addslashes($cemail)) . "',last_login='" .trim(addslashes($td)). "'";
For debugging purposes I've included the "echo mysql_error()" line. If you are going to use this application in a production environment, please remove that line of code, as it can cause a security vulnerability, in the way of showing too much information. After the user details are inserted into the database, effectively creating the user, the code sends out an email to the user that contains the users log in details. The code below demonstrates how this is done:
/*email password to user
//this text will appear in the subject line of the email
$subject = "Project Management - New User Registration";
//this is the recipient of the email
$to = $cleanemail;
$from_name = "Project Management Application";
$from_email = "firstname.lastname@example.org";
$headers = "From: " . $from_name . " <" . $from_email . ">";
$msg = "Dear ".$csname."<br>";
$msg .= "Below is your new username and password:<br>";
$msg .= "Username: ".$cuname."<br>";
$msg .= "Password:".$cupass."<br>";
$msg .= "<br>";
$msg .= "Thank you for joining"
$msg .= "<br>";
$msg .= "The Management";
mail($to, $subject, $msg, $headers);
We use PHP's mail() function to sent the email message. You'll notice that I've commented out this section of the code. This is because it is optional to send the email to the user. Usually when a new employee joins a company, he or she is given the username and password right there and then. So you might want to take the same approach. Or you can choose to send an email to the user as I'm doing here. After sending the email, the code redirects the user to the list_users.php page, that lists all the user of the application:
In the next article we will continue to look at the HTML portion of the user creation script and also take a further look at the last part in the user authentication section that involves password management.
blog comments powered by Disqus