The scripts in the two link groups below are Customer Apps for Dealing with Product Keys and Email Addresses, and Administrator Apps for Dealing with Customer Records.
In our ecommerce world, products are sold by many different methods. Amongst these are getting out demos in various ways and when people try them, some of them are very pleased and they buy what's called a key. This unlocks the full feature set of the product when they enter it. There is a need to give the product users limited access to perform a few functions such as changing their emails, retrieving their keys from our database when they misplace them, etc. There is also a need for administrative functions to manage customer records. One needs to sort them, edit them, delete them, add them, view them, search them, register to be an administrator, login as administrator, etc.
If an ecommerce company does not have any of the applications below, it is forced to perform them the 20th century ways—by hand. This means paying for people to answer phones, write emails, keep paper files of customers, etc. The 21st century way is to let software perform these tasks, let websites and videos explain the product features, and let ecommerce close the sale and send the product.
Feel free to use these free Customer Records Management scripts in your business. Note: we know they work well for us (they are well tested), but we assume no liability for how they work in your situation. Similarly, we added lots of security measures such as extensive input filtering, but we make no claims and assume no liability for how securely they work in your situation.
The best security measure to take when using the administrative part of a system like this (meaning the Administrator Apps for Dealing with Customer Records in which category the script below resides, not the Customer Apps for Dealing with Product Keys and Email Addresses) is do not have any links ANYWHERE that link to the URLs of any of the admin files on the server, so neither hackers nor Google finds them. Then use the admin CMS yourself but do not even let your momma use it. Don't even save the link to the admin login as a Favorite, just to be secure. Just stick the login username and password in Roboform and make them impossible to guess. Then use Roboform to logon. The Customer Apps are included online and linked to as part of the product web pages that make life easier for everyone. Their security is mainly handled via extreme input filtering. The Admin Apps like the one below are hidden, unlinked to, and well protected with security measures, password hashes and salts, etc.
The script register-with-captcha-for-customer-records-management.php processes both registration input data from the administrator, and also session data, which it creates when it puts the session_id() into the proper session variable ($_SESSION['sessionid']) for safekeeping. (Of course, it has to start a session first with session_start().)
The PHP script below gives the administrator a chance to register as an administrator. Then, after registration and login, he will be sent to Customer Records Management.
The script begins with starting a session, then using the session id to create the session variable $_SESSION['sessionid']. The config.php file is included after the defined constant _NODIRECTACCESS gets defined. This gets checked on in the configuration file, and if it is not defined in that file, access to the file is denied. The config.php file uses the defined() function to check whether a given named constant exists. The various scripts that use config.php all use the define() function to define a named constant
named '_NODIRECTACCESS' just prior to including config.php. This protects against anyone using the config.php file without first naming that constant with the define() function—a wise security precaution.
Next we have the creation of the admin_members MySQL table—if it does not already exist.
Now comes the JavaScript function validatepassword(), which is run from the formpw onsubmit event, and validates the registration data, even though the script will do PHP validation as well. Why both? For user convenience! Bad data gets a message and sending the cursor to the input box where the goof is, to await your fix. If all validating was PHP only, you'd have to restart the form if there were any goofs, which would elicit crocodile tears from your users—in this case, the administrators.
Then the JavaScript search() method is used in a couple of input validation functions which use regular expression searches that limit both the size of the input string and the characters it contains. Note that if input is bad, after the alert message to warn the user, the focus() method is used before the return false so the cursor goes to the element with the goof. Returning false halts the submitting.
We use both JavaScript and PHP validation to filter input from the user (in this case, the administrator) since the cardinal rule for user input is: NEVER TRUST IT. If you want to trust it, simply ensure that it will be safe for putting into your MySQL tables as well as displaying on your web pages. By far the best method here is to use the JavaScript for the users' (the administrator) benefit and the PHP for security. If JavaScript is turned off (in which case our scripts won't even work), the PHP validation scripts are your last line of defense to keep things safe. On the other hand, the JavaScript allows the user to get a user-friendly response to unacceptable or wrong input in fields. Rather than making the user restart the form when he goofs, good JavaScript validation scripts use the focus() method to put the cursor back on the field where the goof occured as well as alerting the user to his error. PHP-only validation forces form restart, which is maddening to users.
We use /^[A-Za-z0-9!@#$%^&*()_]{12,20}$/ types of regular expressions to force the data to conform to the needs of the data fields, with the first part showing the acceptable characters and the second part forcing the length—in this case—to be 12 to 20 characters.
Now for the PHP. The entry, password, username, and answer inputs are POSTed to the script. The $Entry variable holds the entry flag which shows if the form was submitted. The $A variable holds the captcha answer which it gets from the captcha script at Register with Captcha to Administer Customer Records PHP Captcha Script via a session variable. $N is 1 if the registering messes up and 0 if it doesn't.
The administrator's inputted username gets stuck into a session variable $_SESSION['username'], which will mean something if and when the registering is successful and the administrator is sent to the administrator navigation script.
There is a captcha in the form and the user must give the correct answer to register. The correct answer will be figured in a different PHP script and stuck into the a__________a session variable. When the form is submitted, we check the answer the user gives against this a__________a variable and if it is incorrect, the user sees "Wrong captcha answer. Please try again." and is made to restart the registering process. The captchas are all simple: adding or substracting a 1-digit number to/from a 2-digit number.
Next, if the captcha answer $A equals the captcha script's captcha answer ($_SESSION['a__________a']), then we access the MySQL record for the entered username $U using the MySQL SELECT statement. If such a username already exists in the database table, the administrator sees "This User Name already exists. Please try again."
Now we do input filtering on the password and username, using the substr() function to keep the data under its character limit, and the strlen() function to make sure it's not too short. We dump any errant tags with the PHP strip_tags() function. Then we use the preg_replace() function and two regular expression patterns to dump inappropriate characters from the inputted password and username. Now we use the mysql_real_escape_string() function to escape iffy characters in the username input.
Next we create the random-alphanumeric-character-laden salt. Then we use the salt and the entered password to create the hash. Both salt and hash go into the db. The password does not, so if anyone asks for theirs like in HTML Form Creator—Forgot Password, we simply create a random string and email it to them and say "here's your new password." Few companies allow storing of passwords—it's dumb.
function make_salt(){
$aZ09 = array_merge(range('A', 'Z'), range('a', 'z'),range(0, 9));
return $o;}
function z_____z(){
global $P;global $o;$s=$o;$p=$P;
$h = hash('sha512',$p.$s);
for ($i=0;$i<6979;$i++){$h=hash('sha512',$h.$p.$s);}
$h = substr($h,0,65);return $h;}
To explain, it is dumb because it's a security risk and it's trivial to do the extra step of salts and hashes. We have the make_salt() function (which is run from other scripts that include config.php) that makes a salt to use with passwords and hashes for better security. In config.php we use the PHP function array_merge() to merge 3 arrays, which we build using the range() function, which creates an array with a specified range of elements. In this case, we want A to Z, a to z, and 0 to 9. Then we use the mt_rand() function and the count() function to loop through 19 iterations, getting random characters from the array, concatenating them together into a new salt 19 characters long.
Next we have the hashing function z_____z() (which is run from other scripts that include config.php). It expects a salt in the $o variable and an entered password in the $P variable. We start by creating a hash() of the concatenation of the password and salt, using the sha512 hashing algorithm. Next we loop through 6979 iterations of hashing a concatenation of the just made hash and the password and the salt, so that we are getting hashes of hashes of hashes . . . etc. Then we use the substr() function to get the first 65 characters of the hashed hash. This is the value we return from the function.
The reason we do not combine the hash and salt functions into one function is simple. We use $o=$get_user_data['salt'];$h=z_____z(); in the login script, but $o=make_salt();$h=z_____z(); in the registration script. We need a new salt to register, but need to grab the old salt from the database to login.
To reitterate: the salt to be put in the administrator's record goes into $o, after our function make_salt(), stored in the included config.php file, creates it. The administrator's inputted password is turned into a hash. The $h=z_____z() code is the password hashing routine stored in the included config.php file. It is a function being run using the entered password and stored salt, and the resulting hash is put into $h.
We use INSERT INTO to add this member to admin_members by insert all his data: id, username, password, ip, signup date, and salt. Now we use SELECT to get this new record's id number and stick it in the session variable $_SESSION['userid'], then we tell the administrator the "Entries were made successfully." Then we send the administrator to the administrator login script. Even though we POST the username to that script, we instead use the session variable $_SESSION['username'] to keep track of this variable, not POSTing the username.
Take a gander at the captcha code: <IMG SRC="captcha-with-sessions.php" alt='captcha'>. A pretty strange type of image, to be sure! Browsers do NOT mind PHP scripts sitting in for PNG, BMP, GIF, or JPG images, believe it or not. The message "If you see no Captcha, disable your ad blocker" is displayed near the captcha because ad blockers with strong settings may knock the captcha out of the form. But Pop-up Blockers do not molest our captcha since it is NOT a pop-up. It's a random PNG image created using functions from the GD library, which is in all recent PHP versions. (To use the recommended bundled version of the GD library, which was first bundled in PHP 4.3.0, get your server hosts to use the configure option "--with-gd". Most already do this.)
The captcha image uses the font Holisb__.ttf, which is the Holiday Springs BTN True Type Font (get at, but you may use other types if you wish. If you find arial.ttf in your C:\WINDOWS\Fonts\ directory on your computer, make sure it is in your folder with your PHP scripts on your server. Holisb__.ttf does a much cooler job, and will be harder for any automatic spambot script to read (and get the right answer for the arithmetic problem). For the captcha script, go to: Register with Captcha to Administer Customer Records PHP Captcha Script.
Finally, there's the registration form where password and username and captcha answer are entered by the administrator. Then he submits the form and the validatepassword() script is the onsubmit event. If it passes this JavaScript validation, it is sent to the PHP script already discussed.
$_SESSION['sessionid'] = session_id();
$sql = "CREATE TABLE IF NOT EXISTS admin_members (
id int(4) NOT NULL auto_increment,
username varchar(20) NOT NULL,
password varchar(65) NOT NULL,
ip varchar(65) NOT NULL,
signup_date varchar(10) NOT NULL,
salt varchar(19) NOT NULL,
// Execute query
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=windows-1252">
<TITLE>Registration Script with Captcha for Customer Record Administration</TITLE>
<meta name="description" content="Registration Script with Captcha for Customer Record Administration">
<meta name="keywords" content="Registration Script with Captcha for Customer Record Administration,Register Script,registration,captcha,php,javascript, dhtml, DHTML">
<style type="text/css">
BODY {margin-left:0; margin-right:0; margin-top:0;text-align:left}
p, li {font:13px Verdana; color:black;text-align:left}
h1 {font:bold 28px Verdana; color:black;text-align:center}
h2 {font:bold 24px Verdana;text-align:center}
h3 {font:bold 15px Verdana;}
.k {text-align:right}
.j {position:absolute;top:50px;left:50%;margin-left:-300px;width:600px}
#myform {position:absolute;top:100px;left:50%;margin-left:-225px;width:450px;border:2px solid black;background-color:#8aa;}
#links {position:absolute;top:210px;left:82%;width:222px}
#t {width:410px;padding:9px;margin-top:-25px}
#undisplayed {position:absolute;top:210px;left:5%;width:170px}
<script language="javascript">
function validatepassword(){
var ck_password = /^[A-Za-z0-9!@#$%^&*()_]{12,20}$/;
if (
{alert("Please enter 12 to 20 letters, numbers and these for password: !@#$%^&*()_");document.formpw.password.focus();return false;}
var ck_username = /^[A-Za-z0-9_]{12,20}$/;
if (
{alert("Please only enter 12 to 20 letters, numbers and underline for user name.");document.formpw.username.focus();return false}
return true;}
$_SESSION['username'] = $U;
if($Entry==1 && $A<>$_SESSION['a__________a']){$N=1;unset($U);echo '<script language="javascript">alert("Wrong captcha answer. Please try again.");window.location="register-with-captcha-for-customer-records-management.php";</script>;';
if($Entry==1 && $A==$_SESSION['a__________a']){
$check_user_data = mysql_query("SELECT * FROM admin_members WHERE username = '$U' LIMIT 1") or die(mysql_error());
if(mysql_num_rows($check_user_data) > 0)
{$N=1;unset($U);echo '<script language="javascript">alert("This User Name already exists. Please try again.");window.location="register-with-captcha-for-customer-records-management.php";</script>;';
if (strlen($U)<12) {echo '<script language="javascript">alert("Please enter 12 to 20 characters for user name."); window.location = "register-with-captcha-for-customer-records-management.php"; </script>';
if (strlen($P)<12) {echo '<script language="javascript">alert("Please enter 12 to 20 characters for password."); window.location = "register-with-captcha-for-customer-records-management.php"; </script>';
$pattern3 = '/[^a-zA-Z0-9\\_]/i';
$pattern4 = '/[^A-Za-z0-9\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\_]/i';
$replacement = '';
$U=preg_replace($pattern3, $replacement, $U);
$P=preg_replace($pattern4, $replacement, $P);
$D = date("d-m-Y");
$sql="INSERT INTO admin_members(id,username,password,ip,signup_date,salt)
VALUES(NULL, '$U', '$h', '$I', '$D', '$o')";
$sql = "SELECT id FROM admin_members WHERE username = '$U'";
$_SESSION['userid'] = $id;
echo '<script language="javascript">alert("Entries were made successfully.");</script>';
echo '<script language="javascript">alert("Entries were NOT made—something went wrong."); window.location="register-with-captcha-for-customer-records-management.php";</script>';}
if($N==1||$Entry==0){ ?>
<center><h1>Registration Script with Captcha for Customer Record Administration</h1></center>
<div id='myform'><BR><table id='t' border='0' cellspacing=0 cellpadding=2>
<form id='formpw' name="formpw" method="post" action="register-with-captcha-for-customer-records-management.php" onsubmit="return validatepassword()">
<tr><td class='k'><label for="User Name"><b>User Name: </b></td><td><input type="text" name="username" size="20" maxlength="20" value=""></label></td></tr>
<tr><td class='k'><label for="Password"><b>Password: </b></td><td><input type="password" name="password" size="20" maxlength="20" value=""></label></td></tr>
<tr><td class='k'><input type="hidden" name="entry" value="1">
</td><td><IMG SRC="captcha-with-sessions-customer-for-records-management.php" alt='captcha'>
<tr><td class='k'><label for="Captcha answer"><b>Captcha answer: </b></td><td><input type="text" name="answer" size="20" maxlength="20" value=""></label></td></tr>
<tr><td align=left colspan=2>
If you see no Captcha, disable your ad blocker.</td></tr>
<tr><td class='k'> </td><td><BR><input type="submit" value="Submit">
<input type="reset" value="Reset"></td></tr></form></table><BR>
<div id='links'><BR>
<a HREF="login-to-customer-records-management.php">Login (I've registered)</a><BR>
<div id='undisplayed'><BR>
The User Name and Password data in your profile will never be displayed in searches, nor revealed to third parties without your express permission.
<form name="MyForm" method="POST" action="login-to-customer-records-management.php">
<input type="hidden" name="username" value=" ">
<script language="javascript">
var u = <?php echo json_encode($U); ?>;