Add User"; echo "
Use the following form to add users to the system. Passwords must be 8+ characters. Email must be filled out, and username must be unique.
"; require_once($yaptc_lib . "phpass-0.3/PasswordHash.php"); if (!empty($_POST)) { if (empty($_POST['username'])) { $errors['username'] = "Username cannot be empty."; } if (preg_match('/[^a-zA-Z0-9 .-_]/', $_POST['username'])) { $errors['username'] = "Username contains illegal characters."; } if (empty($_POST['password'])) { $errors['password'] = "Password cannot be empty."; } if (strlen($_POST['password']) < 8) { $errors['password'] = "Password must be at least 8 charcaters."; } // OPTIONAL // Force passwords to contain at least one number and one special character. /* if (!preg_match('/[0-9]/', $_POST['password'])) { $errors['password'] = "Password must contain at least one number."; } if (!preg_match('/[\W]/', $_POST['password'])) { $errors['password'] = "Password must contain at least one special character."; } */ if (empty($_POST['password_confirm'])) { $errors['password_confirm'] = "Please confirm password."; } if ($_POST['password'] != $_POST['password_confirm']) { $errors['password_confirm'] = "Passwords do not match."; } $email = filter_var($_POST['email'], FILTER_VALIDATE_EMAIL); if (!$email) { $errors['email'] = "Not a valid email address."; } /** * Check that the username and email aren't already in our database. * Note the use of prepared statements. If you aren't using prepared * statements, be sure to escape your data before passing it to the query. * * Note also the absence of SELECT * * Grab the columns you need, nothing more. */ $query = "SELECT username, email FROM users WHERE username = :username OR email = :email"; $stmt = $sql->prepare($query); $stmt->execute(array( ':username' => $_POST['username'], ':email' => $email )); /** * There may well be more than one point of failure, but all we really need * is the first one. */ $existing = $stmt->fetchObject(); if ($existing) { if ($existing->username == $_POST['username']) { $errors['username'] = "That username is already in use."; } if ($existing->email == $email) { $errors['email'] = "That email address is already in use."; } } } /** * If the form has been submitted and no errors were detected, we can proceed * to account creation. */ if (!empty($_POST) && empty($errors)) { /** * Hash password before storing in database */ $hasher = new PasswordHash(8, FALSE); $password = $hasher->HashPassword($_POST['password']); /** * I'm going to mention it again because it's important; if you aren't using * prepared statements, be sure to escape your data before passing it to * your query. */ $query = "INSERT INTO users (firstname, lastname, username, password, email, created, usertype) VALUES (:firstname, :lastname, :username, :password, :email, NOW(), :usertype)"; $stmt = $sql->prepare($query); $success = $stmt->execute(array( ':firstname' => $_POST['firstname'], ':lastname' => $_POST['lastname'], ':username' => $_POST['username'], ':password' => $password, ':email' => $_POST['email'], ':usertype' => $_POST['usertype'], )); if ($success) { $message = "Account created."; } else { echo "Account could not be created. Please try again later."; } } ?>