This selection of PHP files will allow you to implement a "member's only" area in your web site, complete with recognizing re-entering members and new member form. Uses MySQL back-end.

By : woodys

Instructions:

- copy the following source code into their respective files (i.e. File #1 into my_const.h, etc.)

- run the queries thru MySQL to create the back-end database structure

- Drop the correct values into my_const.h

- Make sure that you have the following files/pages in your site:

"header.txt" and "footer.txt" - take a customized HTML template and cut it in half with the top half in header.txt and the bottom half in footer.txt.
"visitorarea.html" - this is where non-members are vectored.
"memberarea.html" - this is where the authenticated members are vectored.

- offer the following links in your site:

<a href=authenticate.php3>Click here to enter the members only area</a>
<a href=newmember.php3>Click here to enter a membership application</a>

- drop the following line into any member-area page (near the top of the file) that you want fully secure:

<? include("auth.h"); ?>

- if you have any questions regarding implementation or bug reports, email me at woodystanford@yahoo.com



****** CREATION QUERIES:

create database databasename;
create table users (userid int auto_increment primary key, username char(25) not null, password char(255) not null, companyname char(255) not null, contactname char(255) not null, email char(255) not null, baddress1 char(255) not null, baddress2 char(255) not null, bcity char(255) not null, bstate char(50) not null, bzip char(50) not null, saddress1 char(255) not null, saddress2 char(255) not null, scity char(255) not null, sstate char(25) not null, szip char(50) not null, tel char(255) not null, fax char(255) not null, active tinyint, ccname char(255) not null, cctype tinyint not null, ccnum char(255) not null, expdate char(255) not null, scountry char(255) not null, bcountry char(255) not null, discount decimal(5,4), needsvalidation tinyint not null, taxexempt tinyint not null, terms int not null);
create table sessions (sessionid int auto_increment primary key, userid int, ipaddress char(255) not null, created timestamp, returnpage char(255) not null);


SOURCE CODE:

***** File #1: my_const.h

<?

if ($g_databasename=="")
{

// ********** ENTER CONSTANTS HERE! **************

$g_databasename="databasename";
$g_dbuid="mysqlusername";
$g_dbpwd="mysqlpassword";

$g_uservalidator_email="youremail@address.com";

// ************************************************


//Helper functions
function mysql_escape_string($s)
{
$sl=strlen($s);

for ($a=0;$a<$sl;$a++)
{
$c=substr($s,$a,1);

switch(ord($c))
{
case 0:
$c = "\\0";
break;
case 10:
$c = "\\n";
break;
case 9:
$c = "\\t";
break;
case 13:
$c = "\\r";
break;
case 8:
$c = "\\b";
break;
case 39:
$c = "\\'";
break;
case 34:
$c = "\\\"";
break;
case 92:
$c = "\\\\";
break;
case 37:
$c = "\\%";
break;
case 95:
$c = "\\_";
break;
}

$s2.=$c;
}

return $s2;
}

}

?>


**** File #2: "newmember.php3"


<? include("header.txt"); ?>

<font face=arial>
<font size=5><b>New Member Profile</font></b><br>

To use this site to the fullest, you must enter in some basic information to establish your identity when you visit. Required fields are indicated with a <font color=red>*</font>. A username and password will be issued to you via email.<p>

<small>(If you have already received a username and password, and have forgotten it, please do not re-submit your information, but rather contact us at via <a href="mailto:<? echo($g_uservalidator_email); ?>">email</a>.)</small><p>

<form action=submitmember.php3 method=post>

<font color=blue><b>Personal Information</b></font><br>
<hr>
<table>
<tr><td><b>Company Name</td><Td><input type=text name=companyname size=50></td></tr>

<tr><td><b>Your Name (first, last)<font color=red>*</font></td><Td><input type=text name=contactname size=50></td></tr>

<tr><td><b>Email Address<font color=red>*</font></td><Td><input type=text name=email size=50></td></tr>

<tr><td valign=top><b>Billing Address<font color=red>*</font></td><Td><input type=text name=baddress1 size=50><br><input type=text name=baddress2 size=50><br><input type=text name=bcity size=25>, <input type=text name=bstate size=2> <input type=text name=bzip size=10><br><input type=text name=bcountry size=10 value="USA"></td></tr>

<tr><td valign=top><b>Shipping Address<font color=red>*</font></td><Td><input type=text name=saddress1 size=50><br><input type=text name=saddress2 size=50><br><input type=text name=scity size=25>, <input type=text name=sstate size=2> <input type=text name=szip size=10><br><input type=text name=scountry size=10 value="USA"></td></tr>

<tr><td><b>Contact Telephone</font></td><Td><input type=text name=tel size=30></td></tr>

<tr><td><b>FAX Telephone</font></td><Td><input type=text name=fax size=30></td></tr>

</table><hr><p>


I certify that the above information is correct. Please process this information an email me my username and password as soon as possible.<p>

<input type=submit value="Process Request">

</form>

<? include("footer.txt"); ?>



**** File #3: "submitmember.php3"


<?
include("header.txt");

include("my_const.h");

//connect to database
$con = mysql_connect(localhost,$g_dbuid,$g_dbpwd);

if ($con==NULL)
{
echo("301 Couldn't connect to MySQL\n\n");
exit(-1);
}

$db = mysql_select_db($g_databasename,$con);

$t="insert into users (companyname, contactname, email, baddress1, baddress2, bcity, bstate, bzip, saddress1, saddress2, scity, sstate, szip, tel, fax, active, bcountry, scountry, needsvalidation) values (\"%s\",\"%s\",\"%s\",\"%s\",\"%s\",\"%s\",\"%s\",\"%s\",\"%s\",\"%s\",\"%s\",\"%s\",\"%s\",\"%s\",\"%s\",0,\"%s\",\"%s\",1)";
$sql=sprintf($t, mysql_escape_string($companyname), mysql_escape_string($contactname), mysql_escape_string($email), mysql_escape_string($baddress1), mysql_escape_string($baddress2), mysql_escape_string($bcity), mysql_escape_string($bstate), mysql_escape_string($bzip), mysql_escape_string($saddress1), mysql_escape_string($saddress2), mysql_escape_string($scity), mysql_escape_string($sstate), mysql_escape_string($szip), mysql_escape_string($tel), mysql_escape_string($fax), mysql_escape_string($bcountry), mysql_escape_string($scountry));

//insert user record into database (active OFF)

//debug
//echo($sql);
mysql_query($sql,$con);

//send email to user_validator to get them to validate new user.
$msg = sprintf("A new customer has submitted their information. Log into back-end database and authorize userid ".strval(mysql_insert_id($con)).". \n\nThis can be accomplished by setting the \"active\" field (in the table \"users\") to 1. \n\n IMPORTANT: You must also set their username and password and send it to their email address. The username must be unique, and both the username and password should be less than 15 alphanumeric characters. Their entered email address is ".$email."\n");
mail($g_uservalidator_email,"New Customer Submission - Validate",$msg);

//autoresponder to visitor
//******PHP4 ERROR: mail will crash the process HARD if the email address is bogus. Filter it! ******
mail($email,"Welcome to our Member Area!","Thank You for submiting your information. We'll be emailing you your username and password to enter the customer area of our site by the next business day.");
?>

<font face=arial>

<font color=blue>
<h1>Request Entered!</h1>
</font>

A representative should contact you shortly via email to give you your username and password.<p>

Thank you for your interest!<p>

<a href=visitorarea.html>Click here to return to the visitor area.</a>

<?

include("footer.txt");

?>


***** File # 4: "authenticate.php3"


<?

include("my_const.h");

//allow reentry without re-authentication

$con = mysql_connect(localhost,$g_dbuid,$g_dbpwd);

if ($con==NULL)
{
echo("301 Couldn't connect to MySQL\n\n");
exit(-1);
}

$db = mysql_select_db($g_databasename,$con);

$sql=sprintf("select userid from sessions where ipaddress=\"$REMOTE_ADDR\"",$con);
$res=mysql_query($sql,$con);

if (mysql_num_rows($res)!=0)
{
echo("<html><head><META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=memberarea.php3\"></head></html>");
}
else
{

include("header.txt");

?>

<font face=arial>
<font size=5><b>Are you an Existing Member?</b></font><br>

If you already have an account, please enter your username and password:<p>

<center>

<form action=authenticate2.php3 method=post>
<table border=1 cellpadding=3>
<tr><Td><b>UserName</b><td><input type=text name=uid size=15></td></tr>
<tr><Td><b>Password</b><td><input type=password name=pwd size=15></td></tr>
</table>
<br>
<input type=submit value="Enter Customer Area">

</center><p>

If you are not already a member, please fill out our <a href=newmember.php3>account request form</a>
. Click here to link to our <a href="visitorarea.html"> Visitor's area</a>...<p>

<?

include("footer.txt");

}

?>


FILE #5: "authenticate2.php3"

<html>

<?
include("my_const.h");

//authenticate vistor

$con = mysql_connect(localhost,$g_dbuid,$g_dbpwd);

if ($con==NULL)
{
echo("301 Couldn't connect to MySQL\n\n");
exit(-1);
}

$db = mysql_select_db($g_databasename,$con);

$sql=sprintf("select userid from users where username=\"%s\" and password=\"%s\" and active=1",mysql_escape_string($uid),mysql_escape_string($pwd));
$res=mysql_query($sql,$con);

if ((mysql_num_rows($res)!=0)&&($uid!=""))
{

$row=mysql_fetch_row($res);


//cleanup
$sql=sprintf("delete from sessions where ipaddress=\"%s\"",$REMOTE_ADDR);
mysql_query($sql,$con);

//make a new session
$sql=sprintf("insert into sessions (userid, ipaddress) values (%s,\"%s\")",$row[0],$REMOTE_ADDR);

mysql_query($sql,$con);

?>

<head>
<META HTTP-EQUIV="refresh" CONTENT="2;url=memberarea.php3">
</head>

<?
}
else
{
?>

<font face=arial>
<h1>Access Denied!</h1>
If you have reached this page in error, <a href="javascript:history.go(-1)">click here to try again.</a><br> If you do not have a username and password, <a href="newmember.html">click here to fill out an application.</a>

<?
}
mysql_free_result($res);
?>

</html>


***** FILE #6 : "auth.h"

<?

//authenticate vistor

if ($g_databasename=="")
{
include("my_const.h");
}

$con2 = mysql_connect(localhost,$g_dbuid,$g_dbpwd);

if ($con2==0)
{
echo("303 Problem connecting to MySQL\n");
exit(0);
}

$db2 = mysql_select_db($g_databasename,$con2);

$sql2=sprintf("select userid from sessions where ipaddress=\"%s\"",$REMOTE_ADDR);
$res2=mysql_query($sql2,$con2);

$nr=mysql_num_rows($res2);

mysql_free_result($res2);

if ($nr==0)
{
echo("<font face=arial><h1>Access Denied!</h1>\n");
echo("If you have reached this page in error, <a href=\"javascript:history.go(-1);\">click here to try again.</a><br> If you do not have a username and password, <a href=\"newcustomer.html\">click here to fill out an application.</a>\n");
exit();
}

?>

DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware.

More User Management Code Articles
More By Codewalkers

blog comments powered by Disqus