If the user is new to the site, and wants to sign up,
you can add a link to a "sign up" page. Open up
your signup.php page, and you'll see some code
already there. We'll now walk you through what it
all does.
When you open up the code for the signup.php
page, you'll see quite a lot of it is code that you've
already met. It starts with the function that checks
for dangerous SQL characters. Then we check that
the form has been POSTED. The next lines are
these:
$uname = $_POST['username'];
$pword = $_POST['password'];
$uname = htmlspecialchars($uname);
$pword = htmlspecialchars($pword);
We're just getting the username and password
from the form, like we did before, and then
checking it for unwanted tags. The next thing you
need to do, though, is test that the username and
password are of the correct length. You don't want
a malicious user trying to inject megabytes of text!
$uLength = strlen($uname);
$pLength = strlen($pword);
if ($uLength >= 10 && $uLength <= 20) {
$errorMessage = "";
}
else {
$errorMessage = $errorMessage . "Username must
be between 10 and 20 characters" . "<BR>";
}
if ($pLength >= 8 && $pLength <= 16) {
$errorMessage = "";
}
else {
$errorMessage = $errorMessage . "Password must
be between 8 and 16 characters" . "<BR>";
}
What we're doing here is using the inbuilt function
strlen ( ) to get the length of the string. We then
use if .. else statements to check that the
username and password are between certain
values. If they are ok, the variable called
$errorMessage is left blank. If they are not ok, we
add some text for the error message.
Before checking the username and password
against the database, we can check to see if the
error message is blank:
if ($errorMessage == "") {
}
If it's blank, then everything is ok. In which case
the rest of the code is executed. If it's not OK, then
the user will see the text of the error message
displayed.
Inside of the if statement for the error message
check, we just set up the database code like we did
before:
$user_name = "root";
$pass_word = "";
$database = "login";
$server = "127.0.0.1";
$db_handle = mysql_connect($server, $user_name,
$pass_word);
$db_found = mysql_select_db($database,
$db_handle);
if ($db_found) {
}
We're just checking that the database can be
found. If it is, then we need to check if the
username has already been taken:
$SQL = "SELECT * FROM login WHERE L1 =
$uname";
$result = mysql_query($SQL);
$num_rows = mysql_num_rows($result);
if ($num_rows > 0) {
$errorMessage = "Username already taken";
}
else {
}
The code attempts to select all the records from
the table where a match with the username is
found. (L1 is the name of the username field in the
table.) If any records are returned, then the
variable called $num_rows will be greater than
zero. We check the value of $num_rows in an if ...
else statement.
If the username has already been taken, then we
can add something to the error message variable.
(But there are security considerations to bear in
mind here. Do you really want to tell a malicious
user that a username has already been taken? If
it's for a forum, then it's ok: the malicious user
can simply read usernames from forum posts. But
in that case, perhaps we shouldn't be using a
username to log people in?)
If the value in the variable $num_rows is still zero,
then we can go ahead and add the user to the
database:
$SQL = "INSERT INTO login (L1, L2) VALUES
($uname, $pword)";
$result = mysql_query($SQL);
mysql_close($db_handle);
Here, we use the SQL command INSERT INTO to
add a new record to the database.
After the user has been added to the database, we
can then set the session variable:
session_start();
$_SESSION['login'] = "1";
The session variable called login will be set to 1.
This means that the user can then start using the
site straight away. In fact, we redirect them to a
different page on the site:
header ("Location: page1.php");
Our new user is now a member!
note:>that's not a complete signup script
