<?php
include "config.php";
if (isset($_GET['verify'])) { // Account verification process
$code = $_GET['code']; // Directly use GET value (PDO already sanitizes input)
$getcode = $conn->prepare("SELECT * FROM `verification` WHERE `code` = :code");
$getcode->execute([':code' => $code]);
if ($getcode->rowCount() == 0) {
// Doesn't match any codes in the database
echo "Invalid verification code!";
} else {
$userdata = $getcode->fetch(PDO::FETCH_ASSOC);
// userlevel of 2 indicates account has now been email activated
$update = $conn->prepare("UPDATE `members` SET `userlevel` = '2' WHERE `username` = :username");
$update->execute([':username' => $userdata['username'}});
// Remove the verification code from the database
$delete = $conn->prepare("DELETE FROM `verification` WHERE `code` = :code");
$delete->execute([':code' => $code]);
echo "Thank you, Your account has been verified.";
}
} else if (isset($_GET['register'])) { // User registration
if (empty($_POST['username']) || empty($_POST['password']) || empty($_POST['cpassword']) || empty($_POST['email'])) {
// If any fields are left blank
echo "A field was left blank, please go back and try again.";
} else if ($_POST['password'] != $_POST['cpassword']) {
// If passwords do not match
echo "Your password and confirmation password do not match!";
} else {
// Hash password using a strong one-way hashing algorithm
$password = password_hash($_POST['password'], PASSWORD_DEFAULT); // Encrypt the password
$cname = $conn->prepare("SELECT `username` FROM `members` WHERE `username` = :username");
$cname->execute([':username' => $_POST['username'}});
if ($cname->rowCount() >= 1) {
// Account already exists with this username
echo "The username is already in use";
} else {
$email = $_POST['email'];
if ($email_activation) { // Email activation is enabled
$insert = $conn->prepare("INSERT INTO `members` (`username`, `password`, `email`) VALUES (:username, :password, :email)");
$insert->execute([':username' => $_POST['username'], ':password' => $password, ':email' => $email]);
$code = substr(str_shuffle("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"), 0, 16); //Generate a random 16 charater code
$insert_verification = $conn->prepare("INSERT INTO `verification` (`username`, `code`) VALUES (:username, :code)");
$insert_verification->execute([':username' => $_POST['username'], ':code' => $code]);
$link = "https://$host$self?verify&code=$code";
// Send activation link to the user
mail("$email", "Member-Ship Validation", "Thank you for registering on $sitename. Please copy the below link into your address bar: $link", "From: Site Verification");
echo "You are now registered, please check your email to activate your account.";
} else { // No email activation
$insert = $conn->prepare("INSERT INTO `members` (`username`, `password`, `email`, `userlevel`) VALUES (:username, :password, :email, '2')");
$insert->execute([':username' => $_POST['username'], ':password' => $password, ':email' => $email]);
echo "You are now registered, you can now login to your account.";
}
}
}
} else { // Show the registration form
echo "<form action='register.php?register' method='post'>
<table>
<tr><td>Username:</td><td><input type='text' name='username' size='30'></td></tr>
<tr><td>Password:</td><td><input type='password' name='password' size='30'></td></tr>
<tr><td>Confirm Password:</td><td><input type='password' name='cpassword' size='30'></td></tr>
<tr><td>Email:</td><td><input type='text' name='email' size='30'></td></tr>
<tr><td colspan='2'><input type='submit' value='Register'></td></tr>
</table>
</form>";
}
?>