This selection of PHP files will allow you to implement a "member's only" area in your web site, complete with recognizing re-entering members and new member form. Uses MySQL back-end.
By : woodys
Instructions:
- copy the following source code into their respective files (i.e. File #1 into my_const.h, etc.)
- run the queries thru MySQL to create the back-end database structure
- Drop the correct values into my_const.h
- Make sure that you have the following files/pages in your site:
"header.txt" and "footer.txt" - take a customized HTML template and cut it in half with the top half in header.txt and the bottom half in footer.txt.
"visitorarea.html" - this is where non-members are vectored.
"memberarea.html" - this is where the authenticated members are vectored.
- offer the following links in your site:
<a href=authenticate.php3>Click here to enter the members only area</a>
<a href=newmember.php3>Click here to enter a membership application</a>
- drop the following line into any member-area page (near the top of the file) that you want fully secure:
<? include("auth.h"); ?>
- if you have any questions regarding implementation or bug reports, email me at woodystanford@yahoo.com
****** CREATION QUERIES:
create database databasename;
create table users (userid int auto_increment primary key, username char(25) not null, password char(255) not null, companyname char(255) not null, contactname char(255) not null, email char(255) not null, baddress1 char(255) not null, baddress2 char(255) not null, bcity char(255) not null, bstate char(50) not null, bzip char(50) not null, saddress1 char(255) not null, saddress2 char(255) not null, scity char(255) not null, sstate char(25) not null, szip char(50) not null, tel char(255) not null, fax char(255) not null, active tinyint, ccname char(255) not null, cctype tinyint not null, ccnum char(255) not null, expdate char(255) not null, scountry char(255) not null, bcountry char(255) not null, discount decimal(5,4), needsvalidation tinyint not null, taxexempt tinyint not null, terms int not null);
create table sessions (sessionid int auto_increment primary key, userid int, ipaddress char(255) not null, created timestamp, returnpage char(255) not null);
SOURCE CODE:
***** File #1: my_const.h
<?
if ($g_databasename=="")
{
// ********** ENTER CONSTANTS HERE! **************
$g_databasename="databasename";
$g_dbuid="mysqlusername";
$g_dbpwd="mysqlpassword";
$g_uservalidator_email="youremail@address.com";
// ************************************************
//Helper functions
function mysql_escape_string($s)
{
$sl=strlen($s);
for ($a=0;$a<$sl;$a++)
{
$c=substr($s,$a,1);
switch(ord($c))
{
case 0:
$c = "\\0";
break;
case 10:
$c = "\\n";
break;
case 9:
$c = "\\t";
break;
case 13:
$c = "\\r";
break;
case 8:
$c = "\\b";
break;
case 39:
$c = "\\'";
break;
case 34:
$c = "\\\"";
break;
case 92:
$c = "\\\\";
break;
case 37:
$c = "\\%";
break;
case 95:
$c = "\\_";
break;
}
$s2.=$c;
}
return $s2;
}
}
?>
**** File #2: "newmember.php3"
<? include("header.txt"); ?>
<font face=arial>
<font size=5><b>New Member Profile</font></b><br>
To use this site to the fullest, you must enter in some basic information to establish your identity when you visit. Required fields are indicated with a <font color=red>*</font>. A username and password will be issued to you via email.<p>
<small>(If you have already received a username and password, and have forgotten it, please do not re-submit your information, but rather contact us at via <a href="mailto:<? echo($g_uservalidator_email); ?>">email</a>.)</small><p>
<form action=submitmember.php3 method=post>
<font color=blue><b>Personal Information</b></font><br>
<hr>
<table>
<tr><td><b>Company Name</td><Td><input type=text name=companyname size=50></td></tr>
<tr><td><b>Your Name (first, last)<font color=red>*</font></td><Td><input type=text name=contactname size=50></td></tr>
<tr><td><b>Email Address<font color=red>*</font></td><Td><input type=text name=email size=50></td></tr>
<tr><td valign=top><b>Billing Address<font color=red>*</font></td><Td><input type=text name=baddress1 size=50><br><input type=text name=baddress2 size=50><br><input type=text name=bcity size=25>, <input type=text name=bstate size=2> <input type=text name=bzip size=10><br><input type=text name=bcountry size=10 value="USA"></td></tr>
<tr><td valign=top><b>Shipping Address<font color=red>*</font></td><Td><input type=text name=saddress1 size=50><br><input type=text name=saddress2 size=50><br><input type=text name=scity size=25>, <input type=text name=sstate size=2> <input type=text name=szip size=10><br><input type=text name=scountry size=10 value="USA"></td></tr>
<tr><td><b>Contact Telephone</font></td><Td><input type=text name=tel size=30></td></tr>
<tr><td><b>FAX Telephone</font></td><Td><input type=text name=fax size=30></td></tr>
</table><hr><p>
I certify that the above information is correct. Please process this information an email me my username and password as soon as possible.<p>
<input type=submit value="Process Request">
</form>
<? include("footer.txt"); ?>
**** File #3: "submitmember.php3"
<?
include("header.txt");
include("my_const.h");
//connect to database
$con = mysql_connect(localhost,$g_dbuid,$g_dbpwd);
if ($con==NULL)
{
echo("301 Couldn't connect to MySQL\n\n");
exit(-1);
}
$db = mysql_select_db($g_databasename,$con);
$t="insert into users (companyname, contactname, email, baddress1, baddress2, bcity, bstate, bzip, saddress1, saddress2, scity, sstate, szip, tel, fax, active, bcountry, scountry, needsvalidation) values (\"%s\",\"%s\",\"%s\",\"%s\",\"%s\",\"%s\",\"%s\",\"%s\",\"%s\",\"%s\",\"%s\",\"%s\",\"%s\",\"%s\",\"%s\",0,\"%s\",\"%s\",1)";
$sql=sprintf($t, mysql_escape_string($companyname), mysql_escape_string($contactname), mysql_escape_string($email), mysql_escape_string($baddress1), mysql_escape_string($baddress2), mysql_escape_string($bcity), mysql_escape_string($bstate), mysql_escape_string($bzip), mysql_escape_string($saddress1), mysql_escape_string($saddress2), mysql_escape_string($scity), mysql_escape_string($sstate), mysql_escape_string($szip), mysql_escape_string($tel), mysql_escape_string($fax), mysql_escape_string($bcountry), mysql_escape_string($scountry));
//insert user record into database (active OFF)
//debug
//echo($sql);
mysql_query($sql,$con);
//send email to user_validator to get them to validate new user.
$msg = sprintf("A new customer has submitted their information. Log into back-end database and authorize userid ".strval(mysql_insert_id($con)).". \n\nThis can be accomplished by setting the \"active\" field (in the table \"users\") to 1. \n\n IMPORTANT: You must also set their username and password and send it to their email address. The username must be unique, and both the username and password should be less than 15 alphanumeric characters. Their entered email address is ".$email."\n");
mail($g_uservalidator_email,"New Customer Submission - Validate",$msg);
//autoresponder to visitor
//******PHP4 ERROR: mail will crash the process HARD if the email address is bogus. Filter it! ******
mail($email,"Welcome to our Member Area!","Thank You for submiting your information. We'll be emailing you your username and password to enter the customer area of our site by the next business day.");
?>
<font face=arial>
<font color=blue>
<h1>Request Entered!</h1>
</font>
A representative should contact you shortly via email to give you your username and password.<p>
Thank you for your interest!<p>
<a href=visitorarea.html>Click here to return to the visitor area.</a>
<?
include("footer.txt");
?>
***** File # 4: "authenticate.php3"
<?
include("my_const.h");
//allow reentry without re-authentication
$con = mysql_connect(localhost,$g_dbuid,$g_dbpwd);
if ($con==NULL)
{
echo("301 Couldn't connect to MySQL\n\n");
exit(-1);
}
$db = mysql_select_db($g_databasename,$con);
$sql=sprintf("select userid from sessions where ipaddress=\"$REMOTE_ADDR\"",$con);
$res=mysql_query($sql,$con);
if (mysql_num_rows($res)!=0)
{
echo("<html><head><META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=memberarea.php3\"></head></html>");
}
else
{
include("header.txt");
?>
<font face=arial>
<font size=5><b>Are you an Existing Member?</b></font><br>
If you already have an account, please enter your username and password:<p>
<center>
<form action=authenticate2.php3 method=post>
<table border=1 cellpadding=3>
<tr><Td><b>UserName</b><td><input type=text name=uid size=15></td></tr>
<tr><Td><b>Password</b><td><input type=password name=pwd size=15></td></tr>
</table>
<br>
<input type=submit value="Enter Customer Area">
</center><p>
If you are not already a member, please fill out our <a href=newmember.php3>account request form</a>
. Click here to link to our <a href="visitorarea.html"> Visitor's area</a>...<p>
<?
include("footer.txt");
}
?>
FILE #5: "authenticate2.php3"
<html>
<?
include("my_const.h");
//authenticate vistor
$con = mysql_connect(localhost,$g_dbuid,$g_dbpwd);
if ($con==NULL)
{
echo("301 Couldn't connect to MySQL\n\n");
exit(-1);
}
$db = mysql_select_db($g_databasename,$con);
$sql=sprintf("select userid from users where username=\"%s\" and password=\"%s\" and active=1",mysql_escape_string($uid),mysql_escape_string($pwd));
$res=mysql_query($sql,$con);
if ((mysql_num_rows($res)!=0)&&($uid!=""))
{
$row=mysql_fetch_row($res);
//cleanup
$sql=sprintf("delete from sessions where ipaddress=\"%s\"",$REMOTE_ADDR);
mysql_query($sql,$con);
//make a new session
$sql=sprintf("insert into sessions (userid, ipaddress) values (%s,\"%s\")",$row[0],$REMOTE_ADDR);
mysql_query($sql,$con);
?>
<head>
<META HTTP-EQUIV="refresh" CONTENT="2;url=memberarea.php3">
</head>
<?
}
else
{
?>
<font face=arial>
<h1>Access Denied!</h1>
If you have reached this page in error, <a href="javascript:history.go(-1)">click here to try again.</a><br> If you do not have a username and password, <a href="newmember.html">click here to fill out an application.</a>
<?
}
mysql_free_result($res);
?>
</html>
***** FILE #6 : "auth.h"
<?
//authenticate vistor
if ($g_databasename=="")
{
include("my_const.h");
}
$con2 = mysql_connect(localhost,$g_dbuid,$g_dbpwd);
if ($con2==0)
{
echo("303 Problem connecting to MySQL\n");
exit(0);
}
$db2 = mysql_select_db($g_databasename,$con2);
$sql2=sprintf("select userid from sessions where ipaddress=\"%s\"",$REMOTE_ADDR);
$res2=mysql_query($sql2,$con2);
$nr=mysql_num_rows($res2);
mysql_free_result($res2);
if ($nr==0)
{
echo("<font face=arial><h1>Access Denied!</h1>\n");
echo("If you have reached this page in error, <a href=\"javascript:history.go(-1);\">click here to try again.</a><br> If you do not have a username and password, <a href=\"newcustomer.html\">click here to fill out an application.</a>\n");
exit();
}
?>
| DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware. |
More User Management Code Articles
More By Codewalkers
 developerWorks - FREE Tools!
|
As businesses grow increasingly dependent upon Web applications to provide services to customers, employees and partners, these complex applications become more difficult to secure. Although traditional security solutions protect Internet infrastructure layers, they do not guard against HTTP and HTML attacks. Many organizations that conduct security testing still deploy applications that allow attackers to manipulate their logic and wreak havoc on their business. To mitigate this risk, development and delivery teams must address Web application security throughout the lifecycle, addressing the many layers detailed in this paper.
FREE! Go There Now!
|
|
|
|
You probably have thousands of lines of COBOL code loaded with business intelligence and being used to run your business, along with an army of developers maintaining these applications. Learn how to prepare your applications and developers so you can keep that competitive edge and move to a service-oriented architecture with the IBM Rational Enterprise Modernization solutions. Replay is available for 9 months.
FREE! Go There Now!
|
|
|
|
Poor Requirements Management capabilities in an Enterprise have been linked to excessive project failures, escalating IT costs, and failure to deliver competitive advantage into the marketplace. Join Brianna M Smith from IBM Rational and learn about how successful organizations align IT and Business stakeholders through collaborative processes and tools for effective requirements management, and how an integrated approach across the IT lifecycle can provide unparalleled visibility and traceability to ensure that project teams are delivering on the business vision by "doing the right things" and "doing things right."
FREE! Go There Now!
|
|
|
|
Build secure Web services with transport-level security using IBM Rational Application Developer V7 and IBM WebSphere Application Server V6.1. Follow this three-part series for step-by-step instructions about how to develop Web services and clients, configure HTTP basic authentication, and configure HTTP over SSL (HTTPS). This first part of the series walks you through building a Web service for a simple calculator application. You generate and test two different types of Web services clients: a Java Platform, Enterprise Edition (Java EE) client and a stand-alone Java client. You also handle user-defined exceptions in Web services.
FREE! Go There Now!
|
|
|
|
Download a free trial version of IBM Rational Developer for System z, software that can help you deliver core development capabilities; the power of Java Platform, Enterprise Edition (Java EE); and rapid application development support to diverse enterprise application development teams. With comprehensive development tools to help create, deploy and maintain traditional enterprise and composite applications, Rational Developer for System z enables developers with different technical backgrounds to easily participate in important technology projects.
FREE! Go There Now!
|
|
|
|
Learn the basics of the IBM Customer Information Control System (CICS). With a hands-on exercise, learn how to get your first CICS application up and running on your desktop using TXSeries V6.1 for Windows. The tutorial shows you how to download and install a free trial version of TXSeries V6.1.
FREE! Go There Now!
|
|
|
|
Because access to government information continues to be an area of concern for many U.S. citizens with disabilities, the U.S. government enacted Section 508 of the Rehabilitation Act in 2001 to ensure that government agencies create accessible Web content, enabling all citizens to access the information they need. A fully accessible Web site makes Web content accessible to all individuals, including those with disabilities, who may be accessing Web content via a variety of user agents. Common user agents include standard Web browsers, text-only browsers, assistive devices and mobile devices such as cell phones or personal digital assistants (PDAs).
FREE! Go There Now!
|
|
|
|
Join the IBM Watchfire team for an informative discussion on techniques and best practices to proactively manage Web application security and how to effectively build application security testing into the software development lifecycle (SDLC). In this Software Delivery Platform webcast you will learn: How to better understand potential web application security vulnerabilities, best practices and how to effectively integrate application security testing into the software development lifecycle, the importance of detecting and removing software vulnerabilities during application development.
FREE! Go There Now!
|
|
|
|
WebSphere Process Server delivers a unique integration framework that simplifies existing IT resources. Often, as IT assets grow to support business demand, so too does their complexity and manageability. In this webcast, we’ll discuss how WebSphere Process Server helps deliver an SOA infrastructure that provides a common model to orchestrate, mediate, connect, map, and execute the underlying IT functions. Discover how WebSphere Process Server simplifies integration of business processes by leveraging existing IT assets as reusable services without the complexities of traditional integration methodologies.
FREE! Go There Now!
|
|
|
|
The unprecedented scope of a service-oriented architecture (SOA) initiative brings to the forefront a number of management and governance issues that were sidestepped in the past. The key to a successful SOA implementation is managing and governing activities throughout the entire SOA delivery lifecycle by ensuring that services conform to the needs of all of the business’s stakeholders. Learn how service lifecycle management allows the business to ensure that the process by which services are defined, created, tested, deployed, optimized and retired is manageable, repeatable and auditable.
FREE! Go There Now!
|
|
|
|
All FREE IBM® developerWorks Tools!
|
