Migrated to Dev Branch, Implemented SQLI pretection and Login/Registration.

This commit is contained in:
Jonathan Turner 2024-01-25 20:53:21 -05:00
parent 03e7feb247
commit 2606e02718
5 changed files with 262 additions and 177 deletions

18
config/config.php Normal file
View File

@ -0,0 +1,18 @@
<?php
ob_start(); // Starts the output buffering
session_start();
$timezone = date_default_timezone_set("America/New_York");
$env = parse_ini_file('.env');
$host = $env['DB_HOST'];
$user = $env['DB_USER'];
$pass = $env['DB_PASS'];
$db = $env['DB_NAME'];
$con = mysqli_connect($host, $user, $pass, $db);
if(mysqli_connect_errno()) {
echo "Failed to connect to database: " . mysqli_connect_errno();
}
?>

View File

@ -0,0 +1,40 @@
<?php
if (isset($_POST["log_but"])) {
$errors = array(); // Used to hold any errors.
$email = filter_var($_POST['log_email'], FILTER_SANITIZE_EMAIL); // sanatizes email to ensure correct format.
$_SESSION['log_email'] = $email;
$pass = strip_tags($_POST['log_pass']);
$pass = str_replace(' ', '', $pass);
$pass = password_hash($pass, PASSWORD_BCRYPT); // Encrypts password
// Uses a prepared statement to check user login. Prevents SQL Injection using Binding.
$stmt = $con->prepare("SELECT username,user_closed FROM users WHERE email = ? AND password = ?");
$stmt->bind_param("ss", $email, $pass); // "ss" indicates two string parameters
$stmt->execute();
$stmt->bind_result($username,$closed);
$stmt->fetch();
if ($username != null) {
$_SESSION['username'] = $username;
if ($closed === 0) { // Reopens account if the account was closed.
$stmt = $con->prepare("UPDATE users SET user_closed = '0' WHERE email = ?");
$stmt->bind_param("s", $email); // Bind parameters for security
$stmt->execute();
$stmt->close(); // Close the statement for proper resource management
}
header("Location: index.php");
exit();
} else {
array_push($errors, "login_error");
}
$stmt->close();
}
?>

View File

@ -0,0 +1,188 @@
<?php
// Variables declaration to prevent errors
$fname = "";
$lname = "";
$email = "";
$email_conf = "";
$pass = "";
$pass_conf = "";
$date = ""; // Registration Date
$errors = array(); // Used to hold any errors.
if(isset($_POST['register_but'])) {
// Variable Assignments
// *** strip_tags() is used to prevent html injection. *** //
$fname = strip_tags($_POST['reg_fname']); //Sets the value from the forum.
$fname = str_replace(' ', '', $fname); // Removes any spaces.
$fname = ucfirst(strtolower($fname)); // Capitalizes first letter, lowercases the rest.
$_SESSION['reg_fname'] = $fname; // Stores values into session variable.
$lname = strip_tags($_POST['reg_lname']);
$lname = str_replace(' ', '', $lname);
$lname = ucfirst(strtolower($lname));
$_SESSION['reg_lname'] = $lname;
$email = strip_tags($_POST['reg_email']);
$email = str_replace(' ', '', $email);
$email = strtolower($email);
$_SESSION['reg_email'] = $email;
$email_conf = strip_tags($_POST['reg_email_conf']);
$email_conf = str_replace(' ', '', $email_conf);
$email_conf = strtolower($email_conf);
$_SESSION['reg_email_conf'] = $email_conf;
$pass = strip_tags($_POST['reg_pass']);
$pass = str_replace(' ', '', $pass);
$pass_conf = strip_tags($_POST['reg_pass_conf']);
$pass_conf = str_replace(' ', '', $pass_conf);
$date = date("Y-m-d"); // Sets the registration date.
if ($email == $email_conf) {
if (filter_var($email, FILTER_VALIDATE_EMAIL)) {
$email = filter_var($email, FILTER_VALIDATE_EMAIL);
$username_check = $con->prepare("SELECT COUNT(*) FROM users WHERE email = ?");
$username_check->bind_param("s", $email);
$username_check->bind_result($num_rows);
$username_check->execute();
$username_check->fetch();
if ($num_rows > 0) {
array_push($errors, "email_exists");
}
} else {
array_push($errors, "email_invalid");
}
} else {
array_push($errors, "email_mismatch");
}
if (strlen($fname) > 25 || strlen($fname) < 2) {
array_push($errors, "fname_invalid");
}
if (strlen($lname) > 25 || strlen($lname) < 2) {
array_push($errors, "lname_invalid");
}
if ($pass != $pass_conf) {
array_push($errors, "pass_mismatch");
} else {
if(preg_match('/[^A-Za-z0-9]/', $pass)) {
array_push($errors, "pass_invalid_char");
} else {
if (strlen($pass) > 30 || strlen($pass) < 5) {
array_push($errors, "pass_invalid_length");
}
}
}
if (!file_exists('debug/logs')) {
mkdir('debug/logs', 0755, true); // Create recursively with appropriate permissions
}
if (empty($errors)) {
$pass = password_hash($pass, PASSWORD_BCRYPT); // Encrypts password
$username = strtolower($fname . "." . $lname);
$username_check = $con->prepare("SELECT COUNT(*) FROM users WHERE username = ?");
$temp = $username;
$username_check->bind_param("s", $temp);
$username_check->bind_result($count);
$username_check->execute();
$username_check->fetch();
$i = 0;
while ($count == 1) {
$i++;
$temp = $username;
if ($i > 0) {
$temp .= $i; // Use string concatenation directly with .=
}
$username_check->bind_param("s", $temp);
$username_check->bind_result($count);
$username_check->execute();
$username_check->fetch();
error_log("\nCounter=$i\nTemp = $temp\nNum Of Names: $count", 3, 'debug/logs/register_error.log');
}
if ($i > 0) {
$username = $username . $i;
}
$username_check->close();
$rand = rand(1,16);
$profile_pic = random_profile_pic($rand);
$create_user = $con->prepare("INSERT INTO users VALUES (NULL,?,?,?,?,?,?,?,'0','0','0',',')");
$create_user->bind_param("sssssss", $fname,$lname,$username,$email,$pass,$date,$profile_pic);
$create_user->execute();
$create_user->close();
array_push($errors, "<span style='color: #14C800;'>You're all set! Go ahead and login!</span><br>");
$_SESSION['reg_fname'] = "";
$_SESSION['reg_lname'] = "";
$_SESSION['reg_email'] = "";
$_SESSION['reg_email_conf'] = "";
}
}
function random_profile_pic($rand) {
$profile_pic = "assets/profile_pics/defaults/";
switch ($rand) {
case 1:
$profile_pic = $profile_pic . "head_alizarin.png";
break;
case 2:
$profile_pic = $profile_pic . "head_amethyst.png";
break;
case 3:
$profile_pic = $profile_pic . "head_belize_hole.png";
break;
case 4:
$profile_pic = $profile_pic . "head_carrot.png";
break;
case 5:
$profile_pic = $profile_pic . "head_deep_blue.png";
break;
case 6:
$profile_pic = $profile_pic . "head_emerald.png";
break;
case 7:
$profile_pic = $profile_pic . "head_green_sea.png";
break;
case 8:
$profile_pic = $profile_pic . "head_nephritis.png";
break;
case 9:
$profile_pic = $profile_pic . "head_pete_river.png";
break;
case 10:
$profile_pic = $profile_pic . "head_pomegranate.png";
break;
case 11:
$profile_pic = $profile_pic . "head_pumpkin.png";
break;
case 12:
$profile_pic = $profile_pic . "head_red.png";
break;
case 13:
$profile_pic = $profile_pic . "head_sun_flower.png";
break;
case 14:
$profile_pic = $profile_pic . "head_turqoise.png";
break;
case 15:
$profile_pic = $profile_pic . "head_wet_asphalt.png";
break;
case 16:
$profile_pic = $profile_pic . "head_wistera.png";
break;
}
return $profile_pic;
}
?>

View File

@ -1,14 +1,5 @@
<?php
$env = parse_ini_file('.env');
$host = $env['DB_HOST'];
$user = $env['DB_USER'];
$pass = $env['DB_PASS'];
$db = $env['DB_NAME'];
$con = mysqli_connect($host, $user, $pass, $db);
if(mysqli_connect_errno()) {
echo "Failed to connect to database: " . mysqli_connect_errno();
}
require 'config/config.php';
?>

View File

@ -1,171 +1,7 @@
<?php
session_start();
$env = parse_ini_file('.env');
$host = $env['DB_HOST'];
$user = $env['DB_USER'];
$pass = $env['DB_PASS'];
$db = $env['DB_NAME'];
$con = mysqli_connect($host, $user, $pass, $db);
if(mysqli_connect_errno()) {
echo "Failed to connect to database: " . mysqli_connect_errno();
}
// Variables declaration to prevent errors
$fname = "";
$lname = "";
$email = "";
$email_conf = "";
$pass = "";
$pass_conf = "";
$date = ""; // Registration Date
$errors = array(); // Used to hold any errors.
if(isset($_POST['register_but'])) {
// Variable Assignments
// *** strip_tags() is used to prevent html injection. *** //
$fname = strip_tags($_POST['reg_fname']); //Sets the value from the forum.
$fname = str_replace(' ', '', $fname); // Removes any spaces.
$fname = ucfirst(strtolower($fname)); // Capitalizes first letter, lowercases the rest.
$_SESSION['reg_fname'] = $fname; // Stores values into session variable.
$lname = strip_tags($_POST['reg_lname']);
$lname = str_replace(' ', '', $lname);
$lname = ucfirst(strtolower($lname));
$_SESSION['reg_lname'] = $lname;
$email = strip_tags($_POST['reg_email']);
$email = str_replace(' ', '', $email);
$email = strtolower($email);
$_SESSION['reg_email'] = $email;
$email_conf = strip_tags($_POST['reg_email_conf']);
$email_conf = str_replace(' ', '', $email_conf);
$email_conf = strtolower($email_conf);
$_SESSION['reg_email_conf'] = $email_conf;
$pass = strip_tags($_POST['reg_pass']);
$pass = str_replace(' ', '', $pass);
$pass_conf = strip_tags($_POST['reg_pass_conf']);
$pass_conf = str_replace(' ', '', $pass_conf);
$date = date("Y-m-d"); // Sets the registration date.
if ($email == $email_conf) {
if (filter_var($email, FILTER_VALIDATE_EMAIL)) {
$email = filter_var($email, FILTER_VALIDATE_EMAIL);
$e_check = mysqli_query($con, "SELECT email FROM users WHERE email='$email'");
$num_rows = mysqli_num_rows($e_check);
if ($num_rows > 0) {
array_push($errors, "email_exists");
}
} else {
array_push($errors, "email_invalid");
}
} else {
array_push($errors, "email_mismatch");
}
if (strlen($fname) > 25 || strlen($fname) < 2) {
array_push($errors, "fname_invalid");
}
if (strlen($lname) > 25 || strlen($lname) < 2) {
array_push($errors, "lname_invalid");
}
if ($pass != $pass_conf) {
array_push($errors, "pass_mismatch");
} else {
if(preg_match('/[^A-Za-z0-9]/', $pass)) {
array_push($errors, "pass_invalid_char");
} else {
if (strlen($pass) > 30 || strlen($pass) < 5) {
array_push($errors, "pass_invalid_length");
}
}
}
if (empty($errors)) {
$pass = password_hash($pass, PASSWORD_BCRYPT); // Encrypts password
$username = strtolower($fname . "." . $lname);
$check_username_query = mysqli_query($con, "SELECT username FROM users WHERE username='$username'");
$i = 0;
$temp = $username;
while (mysqli_num_rows($check_username_query) != 0) {
$i++;
$temp = $username . $i;
$check_username_query = mysqli_query($con, "SELECT username FROM users WHERE username='$temp'");
}
if ($i > 0) {
$username = $username . $i;
}
$rand = rand(1,16);
$profile_pic = random_profile_pic($rand);
$query = mysqli_query($con, "INSERT INTO users VALUES (NULL,'$fname','$lname','$username','$email','$pass','$date','$profile_pic','0','0','0',',')");
}
}
function random_profile_pic($rand) {
$profile_pic = "assets/profile_pics/defaults/";
switch ($rand) {
case 1:
$profile_pic = $profile_pic . "head_alizarin.png";
break;
case 2:
$profile_pic = $profile_pic . "head_amethyst.png";
break;
case 3:
$profile_pic = $profile_pic . "head_belize_hole.png";
break;
case 4:
$profile_pic = $profile_pic . "head_carrot.png";
break;
case 5:
$profile_pic = $profile_pic . "head_deep_blue.png";
break;
case 6:
$profile_pic = $profile_pic . "head_emerald.png";
break;
case 7:
$profile_pic = $profile_pic . "head_green_sea.png";
break;
case 8:
$profile_pic = $profile_pic . "head_nephritis.png";
break;
case 9:
$profile_pic = $profile_pic . "head_pete_river.png";
break;
case 10:
$profile_pic = $profile_pic . "head_pomegranate.png";
break;
case 11:
$profile_pic = $profile_pic . "head_pumpkin.png";
break;
case 12:
$profile_pic = $profile_pic . "head_red.png";
break;
case 13:
$profile_pic = $profile_pic . "head_sun_flower.png";
break;
case 14:
$profile_pic = $profile_pic . "head_turqoise.png";
break;
case 15:
$profile_pic = $profile_pic . "head_wet_asphalt.png";
break;
case 16:
$profile_pic = $profile_pic . "head_wistera.png";
break;
}
return $profile_pic;
}
require 'config/config.php';
require 'includes/form_handlers/register_handler.php';
require 'includes/form_handlers/login_handler.php';
?>
@ -175,6 +11,18 @@ function random_profile_pic($rand) {
</head>
<body>
<form action="register.php" method="POST">
<input type="email" name="log_email" placeholder="Email Address"
value ="<?php if(isset($_SESSION['log_email'])) {
echo $_SESSION['log_email'];
} ?>" required> <br>
<input type="password" name="log_pass" placeholder="Password" required> <br>
<?php if(in_array("login_error", $errors))
echo "Unknown email or incorrect password entered.<br>";?>
<input type="submit" name="log_but" value="Login">
</form>
<form action="register.php" method="POST">
<input type="text" name="reg_fname" placeholder="First Name"
value ="<?php if(isset($_SESSION['reg_fname'])) {