Adding Users for a Project Management Application

In the last article we looked at how a user is authenticated and granted access if the login credentials are correct. Now, for any user to log in he or she needs to exist in the database. To put user information in the database we will need scripts through which we can do just that, hence the topic of this article. This is the third part of a four-part series on the authentication details involved in building a project management application.

The next two scripts that we will be discussing will enable administrators to create a new user, with a password that is auto generated. We will look in detail at how it is done.

The new user script

This script is responsible for creating the user. A user can only be created by an administrator. This is common practice in any intranet environment. A new employee will usually be assigned a username and password by the systems administrator or someone with equivalent authority. And since we are using this application on the assumption that it is going to be used in an intranet, we are going to follow the same tradition.

The password will be auto generated by a function that I’ve included in the functions file. So the moment this registration script is activated, a seven-character-long password will be generated. This password will then be sent to the user when the administrator finishes creating the user profile. This script is located in the admin section of the application. In the next section you will see the code that makes creating a new user possible.

{mospagebreak title=The Script}

Script: add_user.php


<?php

include "../dbcon.php";

include "../functions.php";

//initialise variables

$err="";

$errmsg=false;

$rndpass= "";

//create rnd password

$rndpass=genpass()

 

//is form submitted?

if(isset($_POST['submit'])){


//check that the form values are not empty, if so, set errormsg value

if(empty($_POST['uname'])){

$errmsg="The username field is empty, please enter a username";

$err=true;

}

if(empty($_POST['fname'])){

$errmsg="The name field is empty, please enter your name";

$err=true;

}

if(empty($_POST['sname'])){

$err=true;

$errmsg .="The surname field is empty, please enter your surname";

}

if(empty($_POST['email'])){

$errmsg="The email field is empty, please enter a email address";

$err=true;

}

if(empty($_POST['level'])){

$err=true;

$errmsg .="Please select a access level for the user.";

}


/*End empty field check*/


//check that the username is in correct format

if(!$err){

if(!checkformat($_POST['uname'])){

$err=true;

$errmsg .="The username that you entered has a incorrect format.";

}

}


//check that the email address is in correct format

if(!$err){

if(!checkmailformat($_POST['email'])){

$err=true;

$errmsg .="The email address that you entered has a incorrect format.";

}

}


/*End format check*/


//if there is no errors above, then clean the form values before using in query.

if(!$err){

//clean vars before inserting into database

$cuname = mysql_escape_string($_POST['uname']);

$cupass = mysql_escape_string($_POST['upass']);

$cname = mysql_escape_string($_POST['fname']);

$csname = mysql_escape_string($_POST['sname']);

$cemail = mysql_escape_string($_POST['email']);

$clevel = mysql_escape_string($_POST['level']);


//insert the data

$query = "INSERT INTO users SET name=’" .trim(addslashes($cname)) . "’,";

$query .= "sname=’" .trim(addslashes($csname)). "’, uname= ‘" .trim(addslashes($cuname)). "’,";

$query .= "upass=’" .trim(addslashes($cupass)). "’, level= ‘" .trim(addslashes($clevel)). "’,";

$query .= "email=’" .trim(addslashes($cemail)) . "’,last_login=’" .trim(addslashes($td)). "’";

$result=mysql_query($query);

if(!$result){

echo mysql_error();

}else{

/*email password to user


//this text will appear in the subject line of the email

$subject = "Project Management – New User Registration";

//this is the recipient of the email

$to = $cleanemail;

//sender name

$from_name = "Project Management Application";

//sender address

$from_email = "website@mywebsite.com";

$headers = "From: " . $from_name . " <" . $from_email . ">";

//build message

$msg = "Dear ".$csname."<br>";

$msg .="<br>";

$msg .= "Below is your new username and password:<br>";

$msg .= "Username: ".$cuname."<br>";

$msg .= "Password:".$cupass."<br>";

$msg .= "<br>";

$msg .= "Thank you for joining"

$msg .= "<br>";

$msg .= "The Management";


mail($to, $subject, $msg, $headers);




*/





header("location:list_users.php");

}

}

}//end submit

?>


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml"><!– InstanceBegin template="/Templates/admin.dwt.php"


codeOutsideHTMLIsLocked="false" –>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!– InstanceBeginEditable name="doctitle" –>

<title>Project Management</title>

<!– InstanceEndEditable –>

<!– InstanceBeginEditable name="head" –>

<!– InstanceEndEditable –>

<link href="../Templates/main.css" rel="stylesheet" type="text/css" />

</head>


<body>

<table width="100%" border="0">

<tr>

<td width="38%">&nbsp;</td>

<td width="22%">&nbsp;</td>

<td width="40%">Logged in:<!– InstanceBeginEditable name="EditRegion4" –><? echo $_SESSION['name'];?> | <a


href="../logout.php">Logout</a><!– InstanceEndEditable –></td>

</tr>

<tr>

<td colspan="3" bgcolor="#6699CC"><span class="headertxt">Project Management Software -Administration </span></td>

</tr>

<tr>

<td colspan="3"><!– InstanceBeginEditable name="EditRegion3" –>

 

<form name="form1" action="add_user.php" method="post">

<table width="657" border="0" class="formborder">

<tr>

<td colspan="2" class="loginheader">Create New User </td>

</tr>

<tr>

<td colspan="2">&nbsp;</td>

</tr>

<?php if(isset($errmsg)){?>

<tr>

<td colspan="2" class="errmsg"><?php echo $errmsg; ?></td>

</tr>

<tr>

<td colspan="2">&nbsp;</td>

</tr>

<tr>

<?php

}

?>

 

 

<tr>

<td width="122"><div align="left">Name:</div></td>

<td width="525"><input name="fname" type="text" class="input40" size="40"></td>

</tr>

<tr>

<td width="122"><div align="left">Surname:</div></td>

<td width="525" class="login"><input name="sname" type="text" size="40"></td>

</tr>

<tr>

<td width="122"><div align="left">Username:</div></td>

<td width="525" class="login"><input name="uname" type="text" size="40">

<span class="tooltip">username must be in format: <strong>name.surname</strong></span></td>

</tr>

<tr>

<td width="122"><div align="left">Password:</div></td>

<td width="525" class="login"><input name="upass" type="text" size="40" value="<?php echo $rndpass; ?>"></td>

</tr>

<tr>

<td><div align="left">Email:</div></td>

<td class="login"><input name="email" type="text" size="40"></td>

</tr>

<tr>

<td><div align="left">Access Level</div></td>

<td class="login"><label>

<select name="select">

<option>admin</option>

<option>normal</option>

</select>

</label></td>

</tr>

<tr>

<td></td>

<td> <input name="submit" type="submit"></td>

</tr>

 

</table>

</form>

<!– InstanceEndEditable –></td>

</tr>

<tr>

<td colspan="3"><!– InstanceBeginEditable name="EditRegion5" –><a href="#">List Users</a> <!– InstanceEndEditable


–></td>

</tr>

<tr>

<td colspan="3" class="cright"><div align="right">copyright &copy; 2007 PM </div></td>

</tr>

</table>

</body>

<!– InstanceEnd –></html>



{mospagebreak title=Script Explained}

So let’s look at the script in more detail. The very first lines include the files we need to connect to the database, as well as the functions file that contains all the functions we will need for this script:


<?php

include "../dbcon.php";

include "../functions.php";


Then we initialize some variables that we are going to need:


$err="";

$errmsg=false;

$rndpass= "";


The next line generates a new seven character long password for the user:


//create rnd password

$rndpass=genpass()


The genpass() function is included in the functions file and has the following code:



function genpass()

{

$chars = "1234567890abcdefGHIJKLMNOPQRSTUVW
xyzABCDEFghijklmnopqrstuvwXYZ1234567890";

$thepass = ”;

for($i=0;$i<7;$i++)

{

$thepass .= $chars{rand() % 39};

}

return $thepass;

}


The password generation function itself is straightforward. The characters that are used in the password are defined:


$chars = "1234567890abcdefGHIJKLMNOPQRSTUVW
xyzABCDEFghijklmnopqrstuvwXYZ1234567890";


then a for() loop is run that runs through the $char and builds a seven character password with the characters randomly selected from the $char variable, as defined above.

The newly created password is then saved in the $rndpass variable that is later inserted into the database and then sent to the user by email.

After the password has been generated, the script then checks to see if the form has been submitted:


//is form submitted?

if(isset($_POST['submit'])){


If the form has been submitted, we start checking the form values. I cannot stress enough the importance of making some kind of check when dealing with form data. I know nothing is really a hundred percent secure, but at least when you put in obstacles like this to secure your data, you just might manage to scare off the most determined hacker.

Anyway, because all of the fields in the form are required, we have to make sure that they are all filled in and that the correct formats are used. For the moment, the code checks the form values to make sure that they are not empty and then sets the $err value to true if any fields are empty, and builds up the $errmsg variable with the appropriate messages:

//check that the form values are not empty, if so, set errormsg value

if(empty($_POST['uname'])){

$errmsg="The username field is empty, please enter a username";

$err=true;

}

if(empty($_POST['fname'])){

$errmsg="The name field is empty, please enter your name";

$err=true;

}

if(empty($_POST['sname'])){

$err=true;

$errmsg .="The surname field is empty, please enter your surname";

}

if(empty($_POST['email'])){

$errmsg="The email field is empty, please enter a email address";

$err=true;

}

if(empty($_POST['level'])){

$err=true;

$errmsg .="Please select a access level for the user.";

}

/*End empty field check*/

The next two sections of code check to see if the username and email address that have been entered follow the correct format:

//check that the username is in correct format

if(!$err){

if(!checkformat($_POST['uname'])){

$err=true;

$errmsg .="The username that you entered has a incorrect format.";

}

}


//check that the email address is in correct format

if(!$err){

if(!checkmailformat($_POST['email'])){

$err=true;

$errmsg .="The email address that you entered has a incorrect format.";

}

}


/*End format check*/


As I’ve stated before, the username has the following format:


name.surname

{mospagebreak title=Checkformat Function}

To verify that the form value that has been entered follows this pattern, I used a function from the functions file that is called checkformat(). It has the following code: 

function checkformat($aUsername){

if(eregi(‘^[a-z]+[.]+[a-z]+$’,$aUsername))

return TRUE;

else

return FALSE;

}


The function itself is very simple, and effective. It makes use of regex to match a pattern with the entered string. I put it in a function because I will be using this code in more than one script. Instead of rewriting the code over and over, it is easier to just put it in a function and call it as and when necessary. The email address that we received from the form is checked and verified by the checkmailformat() function. The function has the following code:


function checkmailformat($aEmail){

if(eregi(‘^[a-zA-Z0-9_-.]+@[a-zA-Z0-9-]+.[a-zA-Z0-9-.]+ $’,$aEmail))

return TRUE;

else

return FALSE;

}//end function


The checkmailformat() function is not very different from the checkformat() function. The only difference is that it has more characters to match, because an email address has one compulsory dot(.) and ‘at’ (@) character.

In both checks, the $err and $errmsg variables are appropriately set. And based on these settings (the $err boolean value in particular) the next code is executed:

//if there is no errors above, then clean the form values before using in query.

if(!$err){

//clean vars before inserting into database

$cuname = mysql_escape_string($_POST['uname']);

$cupass = mysql_escape_string($_POST['upass']);

$cname = mysql_escape_string($_POST['fname']);

$csname = mysql_escape_string($_POST['sname']);

$cemail = mysql_escape_string($_POST['email']);

$clevel = mysql_escape_string($_POST['level']);

The code above continues the checking and cleaning of the form values. This time we escape the form values and transfer them to new variables, all of whom start with a "c." The "c" indicates that the form value has been put through the "cleaner" and is ready to be used in any MySQL query.

Just renaming the form values will not stop any SQL inject attacks or any other kind of attack. Though not entirely safe, using the mysql_escape_string() function makes things a lot more difficult for any attacker. So please make sure to use this function before running a MySQL query. Since there are no errors, the MySQL query is run to insert the new user details:

//insert the data

$query = "INSERT INTO users SET name=’" .trim(addslashes($cname)) . "’,";

$query .= "sname=’" .trim(addslashes($csname)). "’, uname= ‘" .trim(addslashes($cuname)). "’,";

$query .= "upass=’" .trim(addslashes($cupass)). "’, level= ‘" .trim(addslashes($clevel)). "’,";

$query .= "email=’" .trim(addslashes($cemail)) . "’,last_login=’" .trim(addslashes($td)). "’";

$result=mysql_query($query);

if(!$result){

echo mysql_error();

For debugging purposes I’ve included the "echo mysql_error()" line. If you are going to use this application in a production environment, please remove that line of code, as it can cause a security vulnerability, in the way of showing too much information. After the user details are inserted into the database, effectively creating the user, the code sends out an email to the user that contains the users log in details. The code below demonstrates how this is done:

/*email password to user


//this text will appear in the subject line of the email

$subject = "Project Management – New User Registration";

//this is the recipient of the email

$to = $cleanemail;

//sender name

$from_name = "Project Management Application";

//sender address

$from_email = "website@mywebsite.com";

$headers = "From: " . $from_name . " <" . $from_email . ">";

//build message

$msg = "Dear ".$csname."<br>";

$msg .="<br>";

$msg .= "Below is your new username and password:<br>";

$msg .= "Username: ".$cuname."<br>";

$msg .= "Password:".$cupass."<br>";

$msg .= "<br>";

$msg .= "Thank you for joining"

$msg .= "<br>";

$msg .= "The Management";


mail($to, $subject, $msg, $headers);




*/


We use PHP’s mail() function to sent the email message. You’ll notice that I’ve commented out this section of the code. This is because it is optional to send the email to the user. Usually when a new employee joins a company, he or she is given the username and password right there and then. So you might want to take the same approach. Or you can choose to send an email to the user as I’m doing here. After sending the email, the code redirects the user to the list_users.php page, that lists all the user of the application:

header("location:list_users.php");

}

}

}//end submit

Conclusion

In the next article we will continue to look at the HTML portion of the user creation script and also take a further look at the last part in the user authentication section that involves password management.

[gp-comments width="770" linklove="off" ]

chat sex hikayeleri Ensest hikaye