482 Chapter 24 Building User Authentication and Personalization Figure 24.4 The registration form retrieves the details we need for the data- base.We get users to type their passwords twice, in case they make a mistake. Listing 24.6 register_new.php—This Script Validates the New User’s Data and Puts It in the Database <?php // include function files for this application require_once('bookmark_fns.php'); //create short variable names $email=$HTTP_POST_VARS['email']; $username=$HTTP_POST_VARS['username']; $passwd=$HTTP_POST_VARS['passwd']; $passwd2=$HTTP_POST_VARS['passwd2']; // start session which may be needed later // start it now because it must go before headers session_start(); // check forms filled in if (!filled_out($HTTP_POST_VARS)) { do_html_header('Problem:'); echo 'You have not filled the form out correctly - please go back' .' and try again.'; do_html_footer(); 30 525x ch24 1/24/03 3:36 PM Page 482 483 Implementing User Authentication exit; } // email address not valid if (!valid_email($email)) { do_html_header('Problem:'); echo 'That is not a valid email address. Please go back ' .' and try again.'; do_html_footer(); exit; } // passwords not the same if ($passwd != $passwd2) { do_html_heading('Problem:'); echo 'The passwords you entered do not match - please go back' .' and try again.'; do_html_footer(); exit; } // check password length is ok // ok if username truncates, but passwords will get // munged if they are too long. if (strlen($passwd)<6 || strlen($passwd) >16) { do_html_header('Problem:'); echo 'Your password must be between 6 and 16 characters.' .'Please go back and try again.'; do_html_footer(); exit; } // attempt to register $reg_result = register($username, $email, $passwd); if ($reg_result === true) { // register session variable $HTTP_SESSION_VARS['valid_user'] = $username; // provide link to members page do_html_header('Registration successful'); echo 'Your registration was successful. Go to the members page ' Listing 24.6 Continued 30 525x ch24 1/24/03 3:36 PM Page 483 484 Chapter 24 Building User Authentication and Personalization .'to start setting up your bookmarks!'; do_html_url('member.php', 'Go to members page'); } else { // otherwise provide link back, tell them to try again do_html_header('Problem:'); echo $reg_result; do_html_footer(); exit; } // end page do_html_footer(); ?> This is the first script with any complexity to it that we have looked at in this applica- tion. The script begins by including the application’s function files and starting a session. (When the user is registered, we will create his username as a session variable as we did in Chapter 20,“Using Session Control in PHP.”) Next, we validate the input data from the user.There are a number of conditions we must test for.They are n Check that the form is filled out.We test this with a call to the function filled_out() as follows: if (!filled_out($HTTP_POST_VARS)) This function is one we have written ourselves. It is in the function library in the file data_valid_fns.php.We’ll look at this function in a minute. n Check that the email address supplied is valid.We test this as follows: if (valid_email($email)) Again, this is a function that we’ve written, which is in the data_valid_fns.php library. n Check that the two passwords the user has suggested are the same, as follows: if ($passwd != $passwd2) n Check that the password is the appropriate length, as follows: if (strlen($passwd)<6 || strlen($passwd) >16) In our example, the password should be at least 6 characters long to make it harder to guess, and fewer than 16 characters, so it will fit in the database. Listing 24.6 Continued 30 525x ch24 1/24/03 3:36 PM Page 484 485 Implementing User Authentication The data validation functions we have used here, filled_out() and valid_email(), are shown in Listing 24.7 and Listing 24.8, respectively. Listing 24.7 filled_out() Function from data_valid_fns.php—This Function Checks That the Form Has Been Filled Out function filled_out($form_vars) { // test that each variable has a value foreach ($form_vars as $key => $value) { if (!isset($key) || ($value == '')) return false; } return true; } Listing 24.8 valid_email() Function from data_valid_fns.php—This Function Checks Whether an Email Address Is Valid function valid_email($address) { // check an email address is possibly valid if (ereg('^[a-zA-Z0-9_\.\-]+@[a-zA-Z0-9\-]+\.[a-zA-Z0-9\-\.]+$', $address)) return true; else return false; } The function filled_out() expects to be passed an array of variables—in general, this will be the $HTTP_POST_VARS or $HTTP_GET_VARS arrays. It will check whether they are all filled out, and return true if they are and false if they are not. The valid_email() function uses the regular expression we developed in Chapter 4, “String Manipulation and Regular Expressions,” for validating email addresses. It returns true if an address appears valid, and false if it does not. After we’ve validated the input data, we can actually try and register the user. If you look back at Listing 24.6, you’ll see that we do this as follows: $reg_result = register($username, $email, $passwd); if ($reg_result === true) { // register session variable $HTTP_SESSION_VARS['valid_user'] = $username; // provide link to members page do_html_header('Registration successful'); 30 525x ch24 1/24/03 3:36 PM Page 485 486 Chapter 24 Building User Authentication and Personalization echo 'Your registration was successful. Go to the members page ' .'to start setting up your bookmarks!'; do_html_url('member.php', 'Go to members page'); } As you can see, we are calling the register() function with the username, email address, and password that were entered. If this succeeds, we register the username as a session variable and provide the user with a link to the main members’ page.This is the output shown in Figure 24.5. Figure 24.5 Registration was successful—the user can now go to the members page. The register() function is in the included library called user_auth_fns.php.This function is shown in Listing 24.9. Listing 24.9 register() Function from user_auth_fns.php—This Function Attempts to Put the New User’s Information in the Database function register($username, $email, $password) // register new person with db // return true or error message { // connect to db $conn = db_connect(); if (!$conn) return 'Could not connect to database server - please try later.'; 30 525x ch24 1/24/03 3:36 PM Page 486 . data_valid_fns .php This Function Checks Whether an Email Address Is Valid function valid_email($address) { // check an email address is possibly valid if (ereg('^[a-zA-Z 0-9 _. -] +@[a-zA-Z 0-9 -] +.[a-zA-Z 0-9 - .]+$',. 24.6 register_new .php This Script Validates the New User’s Data and Puts It in the Database < ?php // include function files for this application require_once('bookmark_fns .php& apos;); //create. have used here, filled_out() and valid_email(), are shown in Listing 24.7 and Listing 24.8, respectively. Listing 24.7 filled_out() Function from data_valid_fns .php This Function Checks That