/
register.php
125 lines (100 loc) · 4.59 KB
/
register.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
<?php
if (session_status() == PHP_SESSION_NONE) {
session_start();
}
require 'generalFunctions.php';
$usernameErr = $emailErr = $totalFailure = "";
$username = $email = "";
if ($_SERVER["REQUEST_METHOD"] == "POST") {
$username = clean_input($_POST["username"]);
$email = clean_input($_POST["email"]);
$fail = false;
if (inputted_properly($username) and inputted_properly($email)) {
// Check if username is taken in the DB
// In the future, we should do this differently, since our current setup can be broken
// due to race conditions of 2 users trying to create the same name at the same time.
try {
$db = new PDO("sqlite:database/noiseFactionDatabase.db");
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
// Use prepared statements rather than $db->query()
// It makes the PDO automatically protect against SQL injection
$statement = $db->prepare("select * from Account where username = ?");
$result = $statement->execute(array($username));
if (!$result) {
// If result is false, something bad's happened.
throw new pdoDbException("Something's gone wrong with the prepared statement");
} else if ($statement->fetch() !== false) {
$usernameErr = "Sorry, that username is already taken.";
$fail = true;
}
$db = null;
} catch(PDOException $e) {
// For now, print out errors so we catch them early. In professional deployment,
// this should NEVER be done, since it can leak vital DB information.
// In the future, we'll need to read the exception and give the user an appropriate message.
echo 'Exception: '.$e->getMessage();
}
// Make sure the username only contains standard characters
if (!preg_match('/^[a-zA-Z0-9_]{1,60}$/', $username)) {
$usernameErr = "Sorry, your username can only contain letters, numbers, and underscores!";
$fail = true;
}
if(!filter_var($email, FILTER_VALIDATE_EMAIL)) {
$emailErr = "Sorry, but this is an invalid email!";
$fail = true;
}
// If everything worked, then let's create an account!
if (!$fail) {
// When we use header, php turns the request into a GET and removes the POST variables
$_SESSION["register/username"] = $username;
$_SESSION["register/email"] = $email;
$_SESSION["register/password"] = $_POST["password1"];
header("Location: createAccount.php");
exit();
}
}else {
// Something must be empty
if (!inputted_properly($username)) {
$usernameErr = "Sorry, your username can't be empty!";
}
if (!inputted_properly($email)) {
$emailErr = "Sorry, your email can't be empty!";
}
}
}
?>
<!DOCTYPE html>
<html>
<head>
<?php include("head.html"); ?>
<script src="/js/registerPasswordsMatch.js"></script>
</head>
<body>
<?php include("header.php"); ?>
<?php include("noscript.html"); ?>
<div class="content-center">
<h3>Create a new account:</h3>
<form method="post" action="register.php">
What username do you want people to call you by?
<br>
Username: <input type="text" name="username" value="<?php echo $username?>">
<span class="error"><?php echo $usernameErr; ?></span>
<br><br>
Don't worry, we promise not to send you an email unless we absolutely have to!
<br>
Email: <input type="text" name="email" value="<?php echo $email ?>">
<span class="error"><?php echo $emailErr; ?></span>
<br><br>
The strongest passwords are long, memorable, and hard to guess!
<br>
Password: <input id="passwordEntry1" type="password" name="password1" onkeyup="passwordsMatch()">
<br>
Verify password: <input id="passwordEntry2" type="password" name="password2" onkeyup="passwordsMatch()">
<br>
<span id="passwordStatus"></span>
<br><br>
<input type="submit" id="submitButton" disabled = "true" name="submit" value="Create Account">
</form>
</div>
</body>
</html>