Login to MC Search and Match Profile and Account Management
- Register Group with Captcha
- View Group Profile
- Edit Group Profile
- MC (Microcommunity) Search and Match
- MC (Microcommunity) Search and Match — Security
- MC (Microcommunity) Search and Match — JavaScript
- MC (Microcommunity) Search and Match — Form
- MC (Microcommunity) Search and Match — PHP
- MC Questionnaire
- Microcommunity (MC) Registration Script — Enter Questionnaire Data in Database
- MC Search and Match Profile and Account Management
- Login to MC Search and Match Profile and Account Management
- Logout of MC Search and Match Profile and Account Management
- MC Questionnaire Login
- MC Questionnaire Info
- Delete Group Account
- Forgot User Name
- Forgot Password
- Form to Send Private Message
- Send Private Message
- Private Message Outbox
- Private Message Inbox
- Delete Private Message from Inbox
- Delete Private Message from Outbox
- Private Message Logout
- Private Message Session Monitoring
- MC (Microcommunity) Search and Match Session Monitoring
- Configure File for Database Connection
- Captcha Script for Registration and Login
This script is called login-to-mc.php
The first section is at the start of the script. First, we use start a session and put the session id into a session variable sessionid. Then we define a named constant '_NODIRECTACCESS'. We include the config.php file (in the includes folder) which uses the PHP defined() function to check on this constant. If it is not set, we are thrown out of the config.php file like yesterday's trash.
Next we get to the JavaScript section. We use both JavaScript and PHP validation to filter input from the user since the cardinal rule for user input is: NEVER TRUST IT. If you want to trust it, simply ensure that it will be safe for putting into your MySQL tables as well as displaying on your web pages. By far the best method here is to use the JavaScript for the users' benefit and the PHP for security. If JavaScript is turned off (in which case our scripts won't even work), the PHP validation scripts are your last line of defense to keep things safe. On the other hand, the JavaScript allows the user to get a user-friendly response to unacceptable or wrong input in fields. Rather than making the user restart the form when he goofs, good JavaScript validation scripts use the focus() method to put the cursor back on the field where the goof occured as well as alerting the user to his error. PHP-only validation forces form restart, which is maddening to users.
We use /^[A-Za-z0-9!@#$%^&*()_]{6,20}$/ for the password regular expression filter to force the data to conform to the needs of the acceptable data for a password, with the first part showing the acceptable characters and the second part forcing the length—in this case—to be 6 to 20 characters. The user name validator uses /^[A-Za-z0-9_]{6,20}$/ for its regular expression pattern. In both cases, if the data input does not meet the standards of our filters, the JavaScript focus() method sends the focus (the cursor) back to the text input box where the unacceptable data was input.
We now turn to the PHP section. First we grab all POSTed data that gets sent to the page after the submit button is clicked. The username is put into a session variable. There is a captcha in the form and the user must give the correct answer to get the edits to work. The correct answer will be figured in a different PHP script (more on that later) and stuck into the a__________a session variable. When the form is submitted, we check the answer the user gives against this a__________a variable and if it is incorrect, the user sees "Wrong captcha answer. Please try again." and is made to restart the login process. The captchas are all simple: adding or substracting a 1-digit number to/from a 2-digit number.
If the user gets the captcha right, the username and password they entered are, after input filtering, checked for in the db table. If such a username does not exist, the user sees "This User Name does not exist. Please try again." and is made to restart the login process. If the password hash found in the MySQL db does not match the password hash created once the user enters the password in logging in, he sees "Sorry, username/password combination is wrong." and is made to restart the login process. The hashing and salting scripts are in the config.php file Configure File for Database Connection. The salt script is run only during registration—the salt created then is put in the user's record. In logging in, the salt is gotten from the db then sent to the hash routine in config.php which uses the salt in hash creation.
The other filtration scripts use preg_replace and dump unacceptable characters, using our strict standards, and the substr() function to make sure that data is not too long by trimming off any excess. The regular expression pattern for the password is /[^A-Za-z0-9\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\_]/ and for the user name is /[^a-zA-Z0-9\\_]/.
We also filtered out tags someone may try to sneak in by use of the strip_tags function. And we use the strlen() function to see if the length is too short, in which case they have to try to login again.
Both salt and hash go into the db. The password does not, so if anyone asks for theirs like in Forgot Password, we simply create a random string and email it to them and say "here's your new password." Few companies allow storing of passwords—it's dumb. We store their session variables for groupname and userid.
The }}}}} is because of all the }else{ conditionals used earlier in the script. If the $Entry variable is not 1 but still 0, they haven't submitted the form yet, so we show them the login form. On the other hand, if they have submitted it, we send them off to MC Search and Match Profile and Account Management, which you will find at the end of the script after the final else conditional. We even send their username in a form, but we needn't have bothered since usernames are grabbed from session variables, not POSTs or GETs. Admittedly, there's a tad bit of overkill here and there in our scripts—just trying to cover all the bases.
The form itself is pretty standard stuff. It has maxlength attributes to keep password and user name lengths limited to 20 characters and it uses an onsubmit event to run the JavaScript validator. But the form also uses a captcha. We used the official captcha method in our Personal Status Board (PSB™) scripts, but designed a less cumbersome method for our MC editing scripts.
Take a gander at the captcha code: <IMG SRC="captcha-with-sessions.php" alt='captcha'>. A pretty strange type of image, to be sure! Browsers do NOT mind PHP scripts sitting in for PNG, BMP, GIF, or JPG images, believe it or not. Ad blockers with strong settings may knock the captcha out of the form. But Pop-up Blockers do not molest our captcha since it is NOT a pop-up. So your users were informed about the ad blocker nastiness when they registered—we doubt they will forget. The captcha is a random PNG image created using functions from the GD library, which is in all recent PHP versions. (To use the recommended bundled version of the GD library, which was first bundled in PHP 4.3.0, get your server hosts to use the configure option "--with-gd". Most already do this.)
The captcha image uses the font Holisb__.ttf, which is the Holiday Springs BTN True Type Font (get at MyFonts.com), but you may use other types if you wish. If you find arial.ttf in your C:\WINDOWS\Fonts\ directory on your computer, make sure it is in your folder with your PHP scripts on your server. Holisb__.ttf does a much cooler job, and will be harder for any automatic spambot script to read (and get the right answer for the arithmetic problem). For the captcha script, go to: Captcha Script for Registration and Login.
The script below is called: login-to-mc.php
<?php
session_start();
$_SESSION['sessionid'] = session_id();
define('_NODIRECTACCESS', TRUE);
include_once"includes/config.php";
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=windows-1252">
<TITLE>Login to MC Search and Match</TITLE>
<meta name="description" content="Login to MC Search and Match">
<meta name="keywords" content="Login to MC Search and Match,match,search,login Script,login,php,javascript, dhtml, DHTML">
<style type="text/css">
BODY {margin-left:0; margin-right:0; margin-top:0;text-align:left}
p, li {font:13px Verdana; color:black;text-align:left}
h1 {font:bold 28px Verdana; color:black;text-align:center}
h2 {font:bold 24px Verdana;text-align:center}
h3 {font:bold 15px Verdana;}
.k {text-align:right}
.j {position:absolute;top:50px;left:50%;margin-left:-300px;width:600px}
#myform {position:absolute;top:145px;left:50%;margin-left:-225px;width:450px;border:2px solid black;background-color:#8aa;}
#links {position:absolute;top:210px;left:82%;width:160px}
#t {width:410px;padding:9px;margin-top:-25px}
</style>
<script language="javascript">
function validatepassword(){
var ck_password = /^[A-Za-z0-9!@#$%^&*()_]{6,20}$/;
if (document.formpw.password.value.search(ck_password)==-1)
{alert("Please enter 6 to 20 letters, numbers and these for password: !@#$%^&*()_");document.formpw.password.focus();return false;}
var ck_username = /^[A-Za-z0-9_]{6,20}$/;
if (document.formpw.username.value.search(ck_username)==-1)
{alert("Please only enter 6 to 20 letters, numbers and underline for user name.");document.formpw.username.focus();return false}
return true;}
</script>
</head>
<body>
<?php
$Entry=$_POST['entry'];
$U=$_POST['username'];
$P=$_POST['password'];
$A=$_POST['answer'];
$N=0;
$_SESSION['username'] = $U;
if($Entry==1 && $A<>$_SESSION['a__________a']){$N=1;unset($U);echo '<script language="javascript">alert("Wrong captcha answer. Please try again.");window.location="login-to-mc.php";</script>;';
}else{
if($Entry==1){
$U=substr($U,0,20);
$P=substr($P,0,20);
if (strlen($U)<6) {$N=1;unset($U);echo '<script language="javascript">alert("Please enter 6 to 20 characters for user name."); window.location = "login-to-mc.php"; </script>';
}else{
if (strlen($P)<6) {$N=1;unset($U);echo '<script language="javascript">alert("Please enter 6 to 20 characters for password."); window.location = "login-to-mc.php"; </script>';
}else{
$pattern3 = '/[^a-zA-Z0-9\\_]/i';
$pattern4 = '/[^A-Za-z0-9\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\_]/i';
$replacement = '';
$U=strip_tags($U);
$P=strip_tags($P);;
$U=preg_replace($pattern3, $replacement, $U);
$P=preg_replace($pattern4, $replacement, $P);
if($A==$_SESSION['a__________a']){
$check_user_data = mysql_query("SELECT * FROM mc_members WHERE username = '$U' LIMIT 1") or die(mysql_error());
if(mysql_num_rows($check_user_data) == 0)
{$N=1;unset($U);echo '<script language="javascript">alert("This user name does not exist. Please try again.");window.location="login-to-mc.php";</script>;';
}else{
$get_user_data = mysql_fetch_array($check_user_data);
$pw=$get_user_data['password'];
$G=$get_user_data['groupname'];
$_SESSION['groupname'] = $G;
$id=$get_user_data['id'];
$_SESSION['userid'] = $id;
$o=$get_user_data['salt'];$h=z_____z();
if($pw<>$h){
$N=1;unset($U);
echo '<script language="javascript">alert("Sorry, username/password combination is wrong."); window.location="login-to-mc.php";</script>';}
}}}}}
if($N==1||$Entry==0){ ?>
<center><h1>Login to MC Search and Match</h1><div id='t'><b>Before you search with MC Search and Match, please meet with all your group members and agree on all the answers to the questions in the <a HREF="questionnaire.html">Questionnaire</a> and then fill it in <a HREF="questionnaire-login.php">here</a> if you haven't yet.</b></div></center>
<div id='myform'><BR><center><h3>Login</h3></center><table id='t' border='0' cellspacing=0 cellpadding=2>
<form id='formpw' name="formpw" method="post" action="login-to-mc.php" onsubmit="return validatepassword()">
<tr><td class='k'><label for="User Name"><b>User Name: </b></td><td><input type="text" name="username" size="20" maxlength="20" value=""></label></td></tr>
<tr><td class='k'><label for="Password"><b>Password: </b></td><td><input type="password" name="password" size="20" maxlength="20" value=""></label></td></tr>
<br><br>
<tr><td class='k'><input type="hidden" name="entry" value="1">
</td><td><IMG SRC="captcha-with-sessions.php" alt='captcha'>
</td></tr>
<tr><td class='k'><label for="Captcha answer"><b>Captcha answer: </b></td><td><input type="text" name="answer" size="20" maxlength="20" value=""></label></td></tr>
<tr><td align=left colspan=2>
If you see no Captcha, disable your ad blocker.</td></tr>
<tr><td class='k'> </td><td><BR><input type="submit" value="Submit">
<input type="reset" value="Reset"></td></tr></form></table><BR>
</div>
<div id='links'><BR>
<a HREF="register-with-captcha.php">Register</a><BR>
<a HREF="http://www.thebiganswer.info/">Home</a><BR>
<a href="http://www.css-resources.com/contact.html">Contact us</a><BR>
<a href='forgot-password.php'>I forgot my password</a><BR>
<a HREF='forgot-user-name.php'>I forgot my user name</a><BR>
<a HREF="http://www.thebiganswer.info/">The Big Answer</a>
</div>
<?php
mysql_close();
}else{
?>
<form name="MyForm" method="POST" action="register-for-mc.php">
<input type="hidden" name="username" value=" ">
</form>
<script language="javascript">
var u = <?php echo json_encode($U); ?>;
document.MyForm.username.value=u;
document.MyForm.submit();
</script>
<?php
}}
?>