mikebernat.com Web-Development, Design, Usability

This post is outdated and may contain bad-practice techniques.

The most useful and almost necessary feature of any interactive website is a registration form. A way to give users access to features while keeping out the riff-raff. While a registration script can be the perfect time for an amateur to grab the bull by the horns it can also leave lots of pitfalls for a more experienced programmer.

For this example I'll be using PHP 4.3x and MySQL 5.1.2x, as well as PHPMyAdmin 2.8. 

The first thing to do is to set up our database. For this example I'll try to keep the number of fields short.

Five fields should do it.

id - our unique key, should be sent to auto_increment and type int

username - field to store the username, limit to 20 characters

password - field to store the encrypted password, limit to 50 characters

email - field to store the user's email address

date - a field to store the unix timestamp of when the user registers 

Please see my article on Using and Understanding Improper MySQL Field Types for more information on the fieldtypes used here. 

Here is the SQL Query to create the table 

CREATE TABLE `user_list` ( `id` INT NOT NULL AUTO_INCREMENT PRIMARY KEY , `username` VARCHAR( 20 ) NOT NULL , `password` VARCHAR( 100 ) NOT NULL , `email` VARCHAR( 100 ) NOT NULL , `date` INT NOT NULL ) ENGINE = MYISAM ;

Now that the database is setup the next step is to create the form:

<!-- Register Page --> <form method="post" action="register2.php"> Username<br/><input type="text" name="username" maxlength="20" /><br/> Password<br/><input type="password" name="password" /><br/> Email<br/><input type="text" name="email" /><br/> < /form>

Very basic html form that will pass the form variables to register2.php. This second page will do some validation and insert the information into the table.

<?PHP // register2.php include("dbconnect.php"); $errors = ""; if (!isset($_POST['username'])) $errors .= "Please provide a username. <br/>"; if (!isset($_POST['password'])) $errors .= "Please provide a password. <br/>"; if (!isset($_POST['email'])) $errors .= "Please provide an email address. <br/>"; if ($errors == "") { mysql_query("INSERT INTO user_list VALUES( '', '".addslashes($_POST['username'])."', '".md5($_POST['password])."', '".addslashes($_POST['email'])."', '".time()."' )") or die(mysql_error()); echo "Registration Successful!"; } else { echo $errors."Please go back and try again."; } ?>

 The first line of register2.php sets up the MySQL connection. The next block of code validates the form to ensure that each form field is filled out and if not adds a string to the variables $errors. If $errors is empty and all is well then we can insert the information into the table. I used PHP's addslashes() function around each value that could be tampered with to prevent injection hacks. 

The md5() function produces a 1-way hash of the users password and stores that into the table. The reason for this is the obvious security risk of storing passwords as plain text in the table. Later on when a user attempts to log in we can compare the md5 of the password in the table with the md5 of the password provided by the user. This is a practice that every programmer should get used to using or any another secure method that does not store passwords in plain text.

Running through the form and submitting it your table should look something like this:

As you can see the password field is a 32 character hexadecimal jumble that looks useless to the naked eye but in fact is to help keep our users secure and less worried about someone stealing their information.

In a later tutorial I will go over how to set up a login script that works with this table schema.  

An interesting and underrate, or underused, function that php makes available is checkdnsrr() which can be used on an email domain to check to see if it is valid. This will involve parsing the email field to get everything after the @ symbol but can be very useful in checking to see if a domain is valid without going as far as sending a confirmation email.

If I get enough of a response from this article I will consider showing how to append this script to work with email confirmation and even lost/forgot passwords.

Extra Reading

Creating a PHP Login Script - Comprehensive and detailed tutorial on how to create a complete login script.

PHP Login Script Tutorial -  Another basic registration/login tutorial. Covers all the basics.