2015-02-11 23:52:11 -05:00
< ? php
2015-02-12 15:23:08 -05:00
session_start ();
require_once ( " config.inc.php " );
$yaptc_pagename = " Users " ;
require_once ( $yaptc_inc . " header.inc.php " );
require_once ( $yaptc_inc . " menu.inc.php " );
// Is user logged in? If not, they shouldn't be here - kill all variables and redirect to login...
if ( ! isset ( $_SESSION [ 'user_id' ]) || ! isset ( $_SESSION [ 'signature' ]) || ! isset ( $_SESSION [ 'loggedIn' ]) || $_SESSION [ 'loggedIn' ] != true || $_SESSION [ 'signature' ] != md5 ( $_SESSION [ 'user_id' ] . $_SERVER [ 'HTTP_USER_AGENT' ]))
{
session_start ();
session_unset ();
session_destroy ();
header ( " Refresh:3; url=login.php " , true , 303 );
echo " <h2 class= \" content-subhead \" >You are not logged in!!!</h2> " ;
}
else
{
//********** BEGIN CONTENT **********//
2015-02-18 05:37:38 -05:00
echo " <h2 class= \" content-subhead \" >System Users</h2> " ;
echo " <p>Editing to be added, for now, it doesn;t exist</p> " ;
$result = $sql -> prepare ( " SELECT users.id as userid, users.username as username, users.email as email, users.created as created, users.firstname as firstname, users.lastname as lastname, users.usertype as usertypeid, usertypes.typename as usertype
FROM yaptc . users
INNER JOIN usertypes ON users . usertype = usertypes . id
ORDER BY users . lastname ASC ; " );
$result -> execute ();
echo '<table class="pure-table">' ;
echo '<thead>' ;
echo '<tr>' ;
echo '<th>First Name</th>' ;
echo '<th>Last Name</th>' ;
echo '<th>Username</th>' ;
echo '<th>Email</th>' ;
echo '<th>Created</th>' ;
echo '<th>User Type</th>' ;
echo '</tr>' ;
echo '</thead>' ;
echo '<tbody>' ;
while ( $row = $result -> fetch ( PDO :: FETCH_ASSOC ))
{
echo " <tr> " ;
echo " <td> " . $row [ 'firstname' ] . " </td> " ;
echo " <td> " . $row [ 'lastname' ] . " </td> " ;
echo " <td> " . $row [ 'username' ] . " </td> " ;
echo " <td> " . $row [ 'email' ] . " </td> " ;
echo " <td> " . $row [ 'created' ] . " </td> " ;
echo " <td> " . $row [ 'usertype' ] . " </td> " ;
echo " </tr> " ;
}
echo '</tbody>' ;
echo '</table>' ;
echo " <h2 class= \" content-subhead \" >Add User</h2> " ;
echo " <p>Use the following form to add users to the system. Passwords must be 8+ characters. Email must be filled out, and username must be unique.</p> " ;
2015-02-12 15:23:08 -05:00
require_once ( $yaptc_lib . " phpass-0.3/PasswordHash.php " );
2015-02-11 23:52:11 -05:00
if ( ! empty ( $_POST ))
{
if ( empty ( $_POST [ 'username' ]))
{
2015-02-12 15:23:08 -05:00
echo " Username cannot be empty. " ;
2015-02-11 23:52:11 -05:00
}
if ( preg_match ( '/[^a-zA-Z0-9 .-_]/' , $_POST [ 'username' ]))
{
2015-02-12 15:23:08 -05:00
echo " Username contains illegal characters. " ;
2015-02-11 23:52:11 -05:00
}
if ( empty ( $_POST [ 'password' ]))
{
2015-02-12 15:23:08 -05:00
echo " Password cannot be empty. " ;
2015-02-11 23:52:11 -05:00
}
if ( strlen ( $_POST [ 'password' ]) < 8 )
{
2015-02-12 15:23:08 -05:00
echo " Password must be at least 8 charcaters. " ;
2015-02-11 23:52:11 -05:00
}
// OPTIONAL
// Force passwords to contain at least one number and one special character.
/*
if ( ! preg_match ( '/[0-9]/' , $_POST [ 'password' ]))
{
$errors [ 'password' ] = " Password must contain at least one number. " ;
}
if ( ! preg_match ( '/[\W]/' , $_POST [ 'password' ]))
{
$errors [ 'password' ] = " Password must contain at least one special character. " ;
}
*/
if ( empty ( $_POST [ 'password_confirm' ]))
{
2015-02-12 15:23:08 -05:00
echo " Please confirm password. " ;
2015-02-11 23:52:11 -05:00
}
if ( $_POST [ 'password' ] != $_POST [ 'password_confirm' ])
{
2015-02-12 15:23:08 -05:00
echo " Passwords do not match. " ;
2015-02-11 23:52:11 -05:00
}
$email = filter_var ( $_POST [ 'email' ], FILTER_VALIDATE_EMAIL );
if ( ! $email )
{
2015-02-12 15:23:08 -05:00
echo " Not a valid email address. " ;
2015-02-11 23:52:11 -05:00
}
/**
* Check that the username and email aren ' t already in our database .
* Note the use of prepared statements . If you aren ' t using prepared
* statements , be sure to escape your data before passing it to the query .
*
* Note also the absence of SELECT *
* Grab the columns you need , nothing more .
*/
$query = " SELECT username, email
FROM users
WHERE username = : username OR email = : email " ;
$stmt = $sql -> prepare ( $query );
$stmt -> execute ( array (
':username' => $_POST [ 'username' ],
':email' => $email
));
/**
* There may well be more than one point of failure , but all we really need
* is the first one .
*/
$existing = $stmt -> fetchObject ();
if ( $existing )
{
if ( $existing -> username == $_POST [ 'username' ])
{
2015-02-12 15:23:08 -05:00
echo " That username is already in use. " ;
2015-02-11 23:52:11 -05:00
}
if ( $existing -> email == $email )
{
2015-02-12 15:23:08 -05:00
echo " That email address is already in use. " ;
2015-02-11 23:52:11 -05:00
}
}
}
/**
* If the form has been submitted and no errors were detected , we can proceed
* to account creation .
*/
if ( ! empty ( $_POST ) && empty ( $errors ))
{
/**
* Hash password before storing in database
*/
$hasher = new PasswordHash ( 8 , FALSE );
$password = $hasher -> HashPassword ( $_POST [ 'password' ]);
/**
* I 'm going to mention it again because it' s important ; if you aren ' t using
* prepared statements , be sure to escape your data before passing it to
* your query .
*/
2015-02-12 15:23:08 -05:00
$query = " INSERT INTO users (username, password, email, created, usertype)
VALUES ( : username , : password , : email , NOW (), : usertype ) " ;
2015-02-11 23:52:11 -05:00
$stmt = $sql -> prepare ( $query );
$success = $stmt -> execute ( array (
':username' => $_POST [ 'username' ],
':password' => $password ,
':email' => $_POST [ 'email' ],
2015-02-12 15:23:08 -05:00
':usertype' => $_POST [ 'usertype' ],
2015-02-11 23:52:11 -05:00
));
if ( $success )
{
$message = " Account created. " ;
}
else
{
2015-02-12 15:23:08 -05:00
echo " Account could not be created. Please try again later. " ;
2015-02-11 23:52:11 -05:00
}
}
?>
<! DOCTYPE html >
< html >
< head >
< meta http - equiv = " Content-Type " content = " text/html; charset=UTF-8 " >
< title > User Registration </ title >
</ head >
< body >
< ? php if ( isset ( $message )) : ?>
< p class = " success " >< ? php echo $message ; ?> </p>
< ? php endif ; ?>
<!-- Note that we ' re again checking that each array key exists before
trying to use it , in order to prevent undefined index notices . -->
< ? php if ( isset ( $errors [ 'registration' ])) : ?>
< p class = " error " >< ? php echo $errors [ 'registration' ]; ?> </p>
< ? php endif ; ?>
< form action = " <?php echo $_SERVER['PHP_SELF'] ; ?> " method = " post " >
< fieldset id = " registration " >
< label for = " username " > Username </ label >
< input type = " text " id = " username " name = " username " />
< span class = " error " >
< ? php echo isset ( $errors [ 'username' ]) ? $errors [ 'username' ] : '' ; ?>
</ span >< br />
< label for = " email " > Email Address </ label >
< input type = " text " id = " email " name = " email " />
< span class = " error " >
< ? php echo isset ( $errors [ 'email' ]) ? $errors [ 'email' ] : '' ; ?>
</ span >< br />
< label for = " password " > Password </ label >
< input type = " password " id = " password " name = " password " />
< span class = " error " >
< ? php echo isset ( $errors [ 'password' ]) ? $errors [ 'password' ] : '' ; ?>
</ span >< br />
< label for = " password_confirm " > Confirm Password </ label >
< input type = " password " id = " password_confirm " name = " password_confirm " />
< span class = " error " >
< ? php echo isset ( $errors [ 'password_confirm' ]) ? $errors [ 'password_confirm' ] : '' ; ?>
</ span >< br />
2015-02-12 15:23:08 -05:00
< input type = " hidden " name = " usertype " value = " 00000000001 " />
2015-02-11 23:52:11 -05:00
< input type = " submit " value = " Submit " />
</ fieldset >
</ form >
</ body >
</ html >
2015-02-12 15:23:08 -05:00
< ? php
}
//********** END CONTENT **********//
require_once ( $yaptc_inc . " footer.inc.php " );
?>