Am I doing this right?

[OneMadGypsy]

My question isn't related with a problem (per se). I wrote what I believe to be a solid beginning for a register.php. Everything works as I expect but I wanted opinions on what I should/could do better in the php end of things. The html is all representational.

 

bin/templates/signup.html

<html>
<head>
		<title>sign-up form</title>
</head>
<body>
<form action="register.php" method="post">
	username:     <input class="r" type="text"     name="user"    value=""><br>
	email:        <input class="r" type="text"     name="email"   value=""><br>
	password:     <input class="r" type="password" name="pass"    value=""><br>
	confirm:      <input class="r" type="password" name="vpass"   value=""><br>
	My favorite?: <input class="r" type="text"     name="squest"  value=""><br>
	<input type="Submit">
</form>
<p></p>
</body>
</html>

 

bin/templates/success.html

<html>
<head>
		<title>success</title>
</head>
<body>
<p></p>
</body>
</html>

 

bin/dom.php

<?php
include ('simple_html_dom.php');

//find form fields based on a common class and build a blank array position for each one
function find_form_fields( $status, $form ){

	//object oriented simple dom
	$html = new simple_html_dom();
	$html -> load_file($form);

	//build blank array positions
	foreach( $html->find('input') as $element )
	{
		if( $element->class == $status )
		{
			$arr[$element->name] = null;
		}
	}
	return $arr;
}

//get a template .html and customize it to display the proper data
function get_template( $temp, $tag, $msg, $data )
{

	//object oriented simple dom
	$html = new simple_html_dom();
	$html -> load_file($temp);

	//find template tag and set the message
	$e = $html->find($tag,0);
	$e ->innertext = $msg;

	//place user input back into fields if this was an error
	if( !empty($data) )
	{
		foreach( $html->find('input') as $element )
		{
			if( isset($data[$element->name]) )
			{
				$element->value = $data[$element->name];
			}
		}
	}

	//save the new html as a string and return it
	$str = $html->save();
	return $str;
}

 

bin/validation.php

<?php
function validate($data)
{
//set-up error messages
$f_set_error = $p_match_error = $e_valid_error = $p_valid_error = $u_valid_error = $s_valid_error = '';

//validate important fields
foreach ( $data as $key => $value ){

	//are there any blank form field?
	if(!isset($key) || $value == "")
	{
		$f_set_error = "you need to fill out the entire form <br>";
	}

	//check username for punctuation
	else if( $key == 'user' )
	{
		//is username alpha numeric only?
		if(!preg_match('/^[a-zA-Z0-9]*$/',$data[$key]))
		{
			$u_valid_error = "your username contains invalid characters only alpha-numeric characters are allowed <br>";
		}
	}

	//check password for multiple errors
	else if( $key == 'pass' )
	{
		//do the password and confirmation password match? 
		//the call to isset($data['vpass']) is in the hopes that this can be reused for any form ie. ones that don't require password confirmation.
		if( isset($data['vpass']) && $data[$key] != $data['vpass'] )
		{
			$p_match_error  = "your passwords do not match <br>";
		}

		//is pass less than 8 characters or non alpha numeric?
		if ( strlen($data[$key]) < 8 || !preg_match('/^[a-zA-Z0-9]*$/',$data[$key]) )
		{
			$p_valid_error = "your password must be no less than 8 alpha-numeric characters <br>";
		}
	}

	//is the email valid?
	else if( $key == 'email' )
	{
		if( !preg_match('/(\w|[_.\-])+@((\w|-)+\.)+\w{2,4}+/',$data[$key]) )
		{
			$e_valid_error = "your email has invalid syntax <br>";
		}
	}

	//is the security question valid ?
	else if( $key == 'squest' )
	{
		if( !preg_match('/^[a-zA-Z0-9]*$/',$data[$key]) )
		{
			$s_valid_error = "only alpha-numeric characters are allowed within your security answer<br>";
		}
	}
}
$result = $f_set_error.$p_match_error.$u_valid_error.$p_valid_error.$e_valid_error.$s_valid_error;
return $result;
}

 

register.php

<?php
require_once ('bin/config.php');
require_once ('bin/dom.php');

//capture the time and ip address
include ('bin/time_n_ip.php');

//start off ready to go and change it if we encounter errors
$go = true;

//set-up error messages
$errors = $exists_error = '';

//set-up template files. these are html templates of the actual pages that are further manipulated with dom.php. dom.php is an 'extension' of simple_html_dom.php
$temp = 'bin/templates/signup.html';
$succ = 'bin/templates/success.html';

//create an array with a position for each of our required fields
$data = find_form_fields('r',$temp);

//clean up and assign each required field its relative POST value. $count is used later in the script to determine if this is a "new" visit or an error
$count = 0;
foreach ( $data as $key => $value ){

	//slight clean up and assignment of values to their respective array index
	if( isset($_POST[$key]) )
	{
		$data[$key] = stripslashes($_POST[$key]);
		$data[$key] = mysql_real_escape_string($data[$key]);
		$count++;
	}

	//if there is nothing to assign make this array index null so error checking can catch it
	else
	{
		$data[$key] = null;
	}
}

include_once('bin/validation.php');

//validate all required fields for improper characters and/or missing data
$validate = validate($data);

//if this string has a length then there are error messages, which means there are errors.
if( strlen($validate) > 0 )
{
	$go = false;
}

if($go)
{

	extract($data);        //convert $data to individual vars - this just makes it much easier/cleaner to manipulate the values.

	//make a connection
	mysql_connect($host,$username,$password);
	@mysql_select_db($database) or die("Unable to select database");

	//search the database for an identical existing username
	$results =  mysql_query( "SELECT * FROM users WHERE user = '$user'" );
	$rows    =  mysql_num_rows($results);

	//search the database for an identical existing email
	$results =  mysql_query( "SELECT * FROM users WHERE email = '$email'" );
	$rows   +=  mysql_num_rows($results);

	//if there is no identical existing name or email create this account
	if ($rows == 0)
	{	
		//encrypt sensetive data
		$pass   = md5($pass);   //encrypt the pass      !ATTN: password recovery will be based on a change system
		$ip     = md5($ip);     //encrypt the ip        !ATTN: resolving an ip will be done with a comparison system
		$squest = md5($squest); //encrypt the pass      !ATTN: resolving security question will be done with a comparison system

		//create the account
		mysql_query( "INSERT INTO users VALUES ('','$user','$pass','$squest','$email', '$ip', '$time')" );

		//send the user to the success page
		print get_template( $succ, "p", 'you have signed up successfully', null );
	}

	//if there is an identical account, log the error.
	else
	{
		$go = false;
		$exists_error = "that name and/or email has already been taken <br>";
	}

	//end the transmission
	mysql_close();
}

//if there was an error in the form or if this is a fist visit (count=0) display the form and any errors (if applicable).
if(!$go)
{
	if($count > 0)
	{
		//create a string that describes all the errors
		$errors = $exists_error.$validate;
	}

	//send the user to a fresh register page or a register page with logged errors (depending on count).
	print get_template( $temp, "p", $errors, $data );
}
?>

 

I didn't post the simple_html_dom.php class for obvious reasons. I also didn't post the config or time_n_ip.php because they do what they say they do. The above is the meat and potatoes. Am I on the right track? I really don't know what I'm doing, I primarily program in AS3.

 

Michael

[Muddy_Funster]

isn't there a different section in the forums for this kinda thing?