User System Tutorial Part One

[Eliterate]

Hey Everyone! This is the first part of the user system tutorial. This tutorial will include the following:
Mysql Tables
config.php
functions.php
register.php
login.php
logout.php
usercp.php
members.php
Alright Let's Start with making our table so far. Copy and paste this in to the sql query for phpMyAdmin.
But to learn more, I'd rather you re-write it so you get the hang of it better
CREATE TABLE `users` (
`id` INT( 11 ) NOT NULL AUTO_INCREMENT PRIMARY KEY ,
`username` TEXT NOT NULL ,
`password` TEXT NOT NULL ,
`email` TEXT NOT NULL ,
`joindate` TEXT NOT NULL ,
`ip` TEXT NOT NULL ,
`level` INT( 11 ) NOT NULL DEFAULT '1'
) ENGINE = MYISAM ;
Lets Get right to the config file, name this: config.php

PHP Code:

<?php
ob_start();
//Tells Server we are using cookies
$dbhost = "localhost"; 
$dbname = "db_name"; 
$dbuser = "db_username"; 
$dbpass = "db_pass"; 
$connect = mysql_connect("$dbhost","$dbuser","$dbpass"); 
mysql_select_db($dbname) or die (mysql_error()); 
//Connect to the database, self explanatory 
$loggedU = MYSQL_QUERY("SELECT * FROM users WHERE id='$_COOKIE[id]' AND password = '$_COOKIE[pass]'"); 
$loggedU = mysql_fetch_array($loggedU);
//Used for shorter variables.
$check = mysql_query("SELECT * FROM users WHERE id='$_COOKIE[id]' AND password='$_COOKIE[pass]'");
//This will check against the users cookies
if(!$_COOKIE[id] || !$_COOKIE[pass]){
//If the cookies arnt the same
$loggedIn = 0;
//There logged in status is 0
$Uname = "Guest";
$Uid = "Guest";
//So everything is considered a guest
}else{
//if it is them
$loggedIn = 1;
//set logged in to 1
$Ulog = mysql_fetch_array($check);
//fetch the query
$Uname = $Ulog['username'];
$Uid = $Ulog['id'];
//Logged Info - shorter variables to use
} 
//end else
//Global Settings
$date = date("l, F j");
$time = date("h:i:s A"); ;
$Uip = getenv('REMOTE_ADDR');
?>

Get it? Good!
Lets's move on to making a functions page, Name this: functions.php

PHP Code:

<?php
function safe($string,$no_white = 1){
//Name the safe function to use in our forms
$string = htmlspecialchars(stripslashes(addslashes($string)),ENT_QUOTES);
//Set our string, no html, strip then add slashes,
if($no_white <= 1){
//if no white, do nothing
}else{
//else, add some
$string .= " ";
//THe string adds some
}
//end else
return $string;
//Return the string
}
//End function
//The safe function will turn out like - $variable = safe($_POST['field_name']);
function getname($userid){
//name a new function to grab names, because in this system, we wont be calling stuff by names, we will use numbers.
$getuser = mysql_query("SELECT * FROM users WHERE id='$userid'");
//get the user fro mthe database
$check = mysql_num_rows($getuser);
//Check the rows
while($r=mysql_fetch_array($getuser)){
$name = $r['username'];
$id = $r['id'];
}
//Fetches data and that
if($check == 0){
$lev = "Guest";
//If no user, level is guest and that
}else{
$lev = "<a href='?user=member&uid=$id'>$name</a>";
//If not, get the user and link to their profile
}
return $lev;
//Return the Username
}
//The getname function will turn out like - $user = getname($uid);
function switchlevel($Ulevel){
//name new function switchlevel, this will turn 1 - member or 5 - Administrator
$level = array(
"1" => "Member",
"5" => "Administrator",
);
$new_level = str_replace(array_keys($level),array_values($level),$Ulevel);
return $new_level;
}
//End function
//The switchlevel function will go like $Ulevel = switchlevel($userlevel);
?>

Remember to make that functions page as it is crucial to have, and we will constantly be updating it.
Next lets make the registration page, name this: register.php

PHP Code:

<?php
ob_start();
//Start Cookies
include "config.php";
//Include our database connection
include "functions.php";
//Include our functions
if (!$_POST['submit']){
//If the submit isnt pressed
echo "<form method='POST'>
Username: <input type='text' name='username'><br>
Email: <input type='text' name='email'><br>
Password: <input type='password' name='pass'><br>
Confirm Password: <input type='password' name='cpass'><br><br>
<input type='submit' name='submit' value='Process'> <input type='reset' name='reset' value='Clear Data'>
</form>";
//That is register form for the user to fill in.
}else{
//if the submit button is pressed (Else 1)
$username = safe($_POST['username']);
$email = safe($_POST['email']);
$pass = safe($_POST['pass']);
$cpass = safe($_POST['cpass']);
//get the data from our form
if ($username == NULL || $email == NULL || $pass == NULL || $cpass == NULL){
//If any fields were left blank
echo "Sorry, we cannot complete your registration because one or more fields was left blank!";
//Echo the error
}else{
//Else 2
$getname = mysql_query("SELECT `username` FROM `users` WHERE `username`='$username'") or die(mysql_error());
$checkname = mysql_num_rows($getname);
//Check for the user in the db
$getemail = mysql_query("SELECT `email` FROM `users` WHERE `email`='$email'") or die(mysql_error());
$checkemail = mysql_num_rows($getemail);
//Check for the email in the db
$getip = mysql_query("SELECT `ip` FROM `users` WHERE `ip`='$Uip'") or die(mysql_error());
$checkip = mysql_num_rows($getip);
//Check for the ip address in the db
if ($checkname != 0){
echo "Sorry, but the name you have chosen is already in use in our database, please go back and choose another!";
//If their name is taken, echo the error
}elseif ($pass != $cpass){
echo "Sorry, but the passwords you have entered do not match! Please go back and re enter them.";
//If the passwords do not match, echo the error
}elseif ($checkemail != 0){
echo "Sorry, but the email you have entered is already in use in our database, please go back and enter a new one!";
//If the email is taken, echo the error
}elseif ($checkip != 0){
echo "Sorry, but this computer has already registered, to keep it fair, one user per computer! 
If you are sure no one has registered on this computer, please contact Administration.";
//If their computer is already registered, echo the error
}else{
//Else 3, if all else is good, then we submit to database
$password = md5($pass);
//md5 the password
$insert = mysql_query("INSERT INTO `users` (`username`,`password`,`email`,`ip`,`joindate`) 
VALUES ('$username','$password','$email','$Uip','$date')") 
or die(mysql_error());
echo "You have successfully registered, you may now login to use some of our wonderful features.";
//insert the user i nto the database, and echo the message!
}
//End else 3
}
//End Else 2
}
//End else 1
?>

Wow, that was a mouthful! XD, Let's continue on to login.php

PHP Code:

<?php
ob_start();
//Start Cookies
include "config.php";
//Include our database connection
include "functions.php";
//Include our functions
if (!$loggedU['username']){
//If they arnt logged in
  if (!$_POST['submit']){
 //If they havent submitted the form
 
 echo "<form method='POST'>
  <b>Username</b>
   <input type='text' name='username'>
  <b>Password</b>
   <input type='password' name='password'>
  <input type='submit' name='submit' value='Login'> 
 <input type='reset' name='reset' value='Reset'> 
 - <a href='register.php'>Register</a> 
</form>";
//Echo our login form
 
 }else{
 //if they hit the submit button
  $username = safe($_POST['username']);
 $password = safe($_POST['password']);
 $password = md5($password);
 
 $getuser = mysql_query("SELECT * FROM `users` WHERE `username`='$username'") or die(mysql_error());
 $checkuser = mysql_num_rows($getuser);
 $r = mysql_fetch_array($getuser);
 //Get all the data from our form?
 
    if ($checkuser == 0){
     echo "This username does not exist in our database, please register!";
   //If the user doesn;t exist, echo error
   }elseif ($password != $r[password]){
    echo "The password you have entered does not match the password in the database for this user!";
   //If the password fro mthe db doesnt match the submitted password, echo error
  }else{
    setcookie("id", $r[id],time()+(60*60*24*5), "/", ""); 
      setcookie("pass", $r[password],time()+(60*60*24*5), "/", "");   
      header ("Location: http://YOURSITE.com");
   //Set cookies and redirect them
  } 
 }
}else{
//Else 1
echo "Welcome $Uname, What would you like to do today?<br>
<a href='usercp.php'>User CP</a><br>
<a href='members.php'>Members</a><br>
<a href='logout.php'>Logout</a>";
}
//End Else 1
?>

Now that we can login, lets logout logout.php

PHP Code:

<?php
ob_start(); 
setcookie("id", 2132421,time()+(60*60*24*5), "/", "");  
setcookie("pass", loggedout,time()+(60*60*24*5), "/", ""); 
header ("Location: http://yoursite.com");
//set new cookies, then redirect the user.
?>

Want to edit your profile? usercp.php

PHP Code:

<?php
ob_start();
//Start Cookies
include "config.php";
//Include our database connection
include "functions.php";
//Include our functions
if ($loggedU['username']){
//if they are logged in
switch ($_GET['control']){
//Makes url usercp.php?control=actionhere
default:
//set default page
echo "<a href='usercp.php?control=edit_profile'>Edit Profile</a>";
break;
//end default page
case "edit_profile":
//start edit profile page
if (!$_POST['submit']){
//If the submit button hasnt been pressed
echo "<form method='POST'>
Email: <input type='text' name='email' value='$loggedU[email]'><br>
<input type='submit' name='submit' value='Edit'>
</form>";
}else{
$email = safe($_POST['email']);
//grabs the data with the safe function
$update = mysql_query("UPDATE `users` SET `email`='$email' WHERE `id`='$loggedU[id]'");
//Update the profile, if adding more fields, 
//make sure to seperate with a comma, `field`='$value', `field2`='$value2'
echo "You have updated your profile!";
//echo the success
}
//end else
break;
//end edit profile
}
//end switch function
}else{ 
//if they arent logged in
echo "Please register or login!";
//echo error
}
//end else
?>

We are almost done part one of this tutorial! Last page for now, members.php

PHP Code:

<?php
ob_start();
//Start Cookies
include "config.php";
//Include our database connection
include "functions.php";
//Include our functions
switch ($_GET['control']){
//start switch functions, urls are now, members.php?control=actionhere
default:
//set default page
$getusers = mysql_query("SELECT * FROM `users` ORDER BY username ASC");
//get the users and order them alphabetically
while ($x = mysql_fetch_array($getusers)){
//make a while loop for all users 
echo "<a href='members.php?control=user&uid=$x[id]'>$x[username]</a>";
//echo an url to view the users profile.
}
//end while
break;
//end default page
case "user":
$uid = safe($_GET['uid']);
//get the uid from the url
$x = mysql_fetch_array(mysql_query("SELECT * FROM `users` WHERE `id`='$uid'"));
//get the user and already fetch the data.
$level = switchlevel($x['level']);
//get their level in words with the switchlevel function
echo "
<b>Username:</b> $x[username]<br>
<b>Email:</b> $x[email]<br>
<b>Level:</b> $level<br>
<b>Joindate:</b> $x[joindate]<br>";
//echo the info
break;
//end view profile
}
//end switch fucntion
?>

Thanks, that is part one of the user system tutorial,
keep it locked for the next parts which include, users online, message system, admin cp,
change password, forgot password.
You can also suggest tuts you want to see for this system!

Edited by Catzsy (Forum Super Moderator): Thread closed due to bumping.

[wilky15]

*Cough Edited Version Of Techuts usersystem*

[Eliterate]

*Cough* An actual user system that wont be so easily hacked or sql injected.

[Florx]

yup theres a nice demo on www.habblio.com with some added stuff i coded e.g. alert, ban, badges. the rest is C&P with tweeks lol

[wilky15]

LOOL agreed for once eliterate, i might just go along and use that usersystem. techtuts is hopeless ill just edit urs like crazy, i dont like that one account per ip thing. And u need last time they logged in. And and and, sessions. urs u have to login twice

[Tomm]

Warning:

This system is not secure!

Your function safe will NOT protect from SQL injections.

Also cookies are far from secure. I could use malicious scripts to steal user's cookies.

[Eliterate]

others said the same thing about it, theyve even tried to get on to my site, but failed...miserably.

[F32]

This is just Techtuts?

[Homosexual]

Correct, Xeoro!

[Mentor]

Warning:

This system is not secure!

Your function safe will NOT protect from SQL injections.

Also cookies are far from secure. I could use malicious scripts to steal user's cookies.

tbh i think the bigger problem with the safe function is that its not actualy used on most of the sql inputs anyway o.0