User Personalization with PHP:
User Registration

UNIX System Administrator - SUN Solaris, Veritas, EMC, Shell Scripting, SAN (NYC)
Next Step Systems
US-NY-New York

This article is part 4 of a series. Part 3 can be found here: User Personalization with PHP: User Login

In this article we look at the registration script for our bookmark system. The script is basically responsible for admitting new users to our system. As you will see, it sets certain requirements that a new user must meet before they are admitted and also implements some data checking for security purposes, since it is going to receive a lot of 'outside' data that it needs to incorporate into the application.

The Registration Script

One of the first things that a user must do to use our application is to be 'known' by our system. If a user is not known, she cannot use this system at all. To become known, she must register. In other words a user name and password and other information such as the e-mail address needs to be stored by our application. Only then can the user utilize the bookmark application. To make this process as painless as possible the program requires the following information from the user:

User name - This has to be the full name of the user. The application will use this name to address the user.
Password - The application needs the password to be able to successfully authenticate a user when he or she tries to use the system. The password will be stored in encrypted or hash form. So the user needs to enter an easy to remember password as the system only stores the hashed version of a password and will be unable to retrieve a forgotten password.
E-mail address - The e-mail address is used to send the registration information to the user. It needs to be an active and valid e-mail address or the user will not receive the account activation information. In addition, when the password is changed the system automatically sends an e-mail message to the user notifying them of the change. This normally happens when the user forgets her password and has to reset it. Also, when registering, the user will be asked to enter the password twice; this is just to underscore how important it is that the password is entered correctly as there is no way to recover it when lost or forgotten.
Image - This is optional. The application will load this image to the server at registration and download it each time the user logs in to view her bookmarks. The image will be displayed along with the user's name.
Color scheme - The color scheme enables the user to set the background color of the application while using it. These settings can be changed through the user profile page. The application offers three colors, blue, red and yellow. Since you will have the source code of the program, you can either change these colors or add more colors so that the user can have more choice. Either way, the application is flexible enough to accommodate both scenarios.

Programmatically speaking the script does three things; first, it collects the required data from the user and processes it. Second it needs to insert this data into the database, which it does and finally it sends an email message containing the activation information to the user. Below is a screen of the script, followed by its code:

See Figure 1

The code for the script is very large and contains a mixture of PHP and HTML, so I will list the PHP section first and then the HTML. The entire code as listed here is contained in one script called register.php so copy and paste the code accordingly:

<?php
include "../connect.php";

if(isset($_POST['reg'])){
$msg="";

//validate the username
if(empty($_POST['uname'])){
$msg .="Please enter a user name. ";
}

if(!checkuname($_POST['uname'])){
$msg="Please enter a valid user name. ";
}

//now we check the email address
//check if the email address is empty
if(empty($_POST['email'])){
$msg .=" Please enter a email address. ";
}

//Next we check if the email address has a valid format
if(!checkEmail($_POST['email'])){
$msg="Please enter a valid email address. ";
}

//now we check the password
//first we check that both password fields are filled in
if(empty($_POST['pass1'])){
$msg .=" Please enter a password. ";
}

if(empty($_POST['pass2'])){
$msg .=" Please enter a valid confirmation password. ";
}

//now we check to see if the passwords match
if($_POST['pass1'] !== $_POST['pass2']){
$msg .=" Your password does not match the confirmation password please check and try again.";
}

/* SECTION 2: Data verification and insertion*/

if(empty($msg)){ //all data test have passed
//now we check to see if the email address entered by the user is unique
$email=mysql_real_escape_string($_POST['email']);

$sql = "SELECT email FROM users WHERE email = '".$email."'";
$res = mysql_query($sql);

if(mysql_num_rows($res) < 1){ // email address is not in database
//insert the user data
//first create the unique activation id

$actcode = md5(1);
$uname=mysql_real_escape_string($_POST['uname']);
$level="normal";
$upass=mysql_real_escape_string($_POST['pass1']);
$email=mysql_real_escape_string($_POST['email']);
//sortout the image/upload file
//check if the user uploaded a image
if(isset($_FILES['fn'])){
$fn = $_FILES['fn']['name'];
//now try to upload the filem
if(!move_uploaded_file($_FILES['fn']['tmp_name'],'../images/'.$_FILES['fn']['name'].'')){
switch($_FILES['fn']['error']){
case 1:
$msg .= "The file exceeds the upload max file size setting";
break;
case 2:
$msg .="The file exceeds the max file size setting";
break;
case 3:
$msg .="The file was only partially uploaded";
break;
case 4:
$msg .="No file was uploaded";
break;
}//end switch
}
}

if(isset($fn)){
$img = $fn;
}else{
$img = "No_img";
}

//set the bckgrnd color
$bgc = $_POST['select']; // default color of blue

$sql_ins="INSERT INTO users(uid,uname,upass,email,level,bgc,img,actcode) values

(5,'".$uname."','".md5($upass)."','".$email."','".$level."','".$bgc."','".$img."','".$actcode."')

";
$result = mysql_query($sql_ins);

/* SECTION 3: User Notification */
if(mysql_affected_rows() == 1){ // user data successfully inserted
$msg = "Your registration information has been processed. Please check your email for further

instructions";
//now we notify the user through email
$subject="Registration at The Online Bookmarks";

$emsg = "Thank you for registering with us. The next step is for you to activate your account.

To do this, simply click on the link below:\n\n";

$emsg .="http://localhost/personalization/activate.php?u=".mysql_insert_id().

"&a_code=".$actcode;
//now send the email
if(mail($email,$subject,$emsg)){

$msg= "A message has been sent to your email address. Please click on the link that is provided

to activate your account.";
}//mail send

}else{
$msg .=" The following MYSQL error occurred:".mysql_error()." ";
}

}else{
$msg = "Error with the email address provided ";
}
}//end err check
}//end submit check
?>

The PHP Code Explained

We start by including the database connection file. This file also contains a function, which we will use in this script. So let's take a brief look at it. The function is called checkuname() and is responsible for ensuring that the username that the user enters contains only letters and not anything else:

function checkuname($aname){

As you can see, we use regular expressions to match the user supplied user name to a pre determined pattern. The username should not be more than eight characters in length and should only contain letters. The eight character limitation is set by the {2,8} code and the letters only setting is implemented by the 'alpha' term in the code below:

if(!eregi('^[[:alpha:]\.\'\-]{2,8}$',$aname)){

The function then returns true or false depending on the outcome of the test:

return FALSE; }else{ return TRUE; } }

Continuing with the main PHP code, the next line of code checks to see if the form has been submitted. Notice that this time we use a hidden form field to determine if the form has been submitted instead of the submit button that is on the form:

if(isset($_POST['reg'])){ $msg="";

We also initialize a message variable called $msg. This variable will store all the messages that we will want the user to see, especially when errors occur or when we need to notify a user of any outcome of an operation. Some errors are very revealing and can cause a security vulnerability this is especially dangerous if you are going to use this application on the web. Therefore, it will be necessary to make alternative arrangements when displaying error messages. PHP offers some alternatives to simply outputting error messages (as we've done in this application). The most secure way to handle errors is to create your own error handler functions. You have two options when creating your own error handlers, you can either write the errors to file or send the errors off to an e-mail address. Below is some code to demonstrate the two methods:

To write to file:

To send the errors to an e-mail address:

You might not see it but the code is actually different. The main difference is where the error_log() function is called. The function uses two numbers; first, it uses the number three:

error_log($error, 3, 'error.log');

And then the number one:

error_log($error, 1, email);

The function itself has the following syntax:

error_log(message, type, destination');

As you've probably worked out by now, the number one tells PHP to send the error to an e-mail address and the number three tells PHP to write the error to a file. So now, you have alternatives to how you can handle form errors.

Once the form has been submitted, we need to start with the validation process. All information is required except for the image and color scheme information. However, we still have to validate them as well, just in case. Because the information is required, we need to check if the values are empty or not. We've implemented browser level checking using JavaScript but it is not secure enough, so we are double checking on the server side as well. After checking that the form values are not empty, we then type check them, to make sure that there are integers were there should be and string types where there should be string types. We also validate the e-mail address to make sure that it is valid, this is very important because it will be used to send e-mail messages to the user:

We require the user to confirm a password. We need to make sure that it is done correctly, so we check the two passwords and set an error message if they don't match:

Now if the data verification process went without a hitch we continue with registering the user. The second step is to insert the user information into the database. Before we do this, we need to make sure that the email address that is supplied by the user is unique. You can imagine the confusion it will cause if there are two users with the same email address! We run a query to check if any other email addresses exist with the same name:

/* SECTION 2: Data verification and insertion*/ if(empty($msg)){ //all data test have passed //now we check to see if the email address entered by the user is unique $email=mysql_real_escape_string($_POST['email']);

We build an SQL statement to do the matching and run the query:

$sql = "SELECT email FROM users WHERE email = '".$email."'"; $res = mysql_query($sql);

If no rows/records are returned, we know that the email address is not in the database so we continue to insert the user's details:

if(mysql_num_rows($res) < 1){ // email address is not in database

We then need to generate an activation code and clean the variables before inserting them in the database. We use the mysql_real_escape_string() function to ready the variables for use in with MYSQL:

Here we determine if the user uploaded an image, this is not required, but it has to be checked since there is a field in the database for it. Whenever you upload a file in PHP, its details are put in a FILES array. This array includes everything about the uploaded file including its name, size, location, etc.

[next]