Registration

<?php
/*
 * This is a PHP Secure login system.
 *
 */
//require user configuration and database connection parameters
require('config.php');

//pre-define validation parameters

$usernamenotempty=TRUE;
$usernamevalidate=TRUE;
$usernamenotduplicate=TRUE;
$passwordnotempty=TRUE;
$passwordmatch=TRUE;
$passwordvalidate=TRUE;

//Check if user submitted the desired password and username
if ((isset($_POST["desired_password"])) && (isset($_POST["desired_username"])) && (isset($_POST["desired_password1"])))  {

//Username and Password has been submitted by the user
//Receive and validate the submitted information
//sanitize user inputs

function sanitize($data){
$data=trim($data);
$data=htmlspecialchars($data);
$data=mysql_real_escape_string($data);
return $data;
}

$desired_username=sanitize($_POST["desired_username"]);
$desired_password=sanitize($_POST["desired_password"]);
$desired_password1=sanitize($_POST["desired_password1"]);

//validate username

if (empty($desired_username)) {
$usernamenotempty=FALSE;
} else {
$usernamenotempty=TRUE;
}

if ((!(ctype_alnum($desired_username))) || ((strlen($desired_username)) >11)) {
$usernamevalidate=FALSE;
} else {
$usernamevalidate=TRUE;
}

if (!($fetch = mysql_fetch_array( mysql_query("SELECT `username` FROM `authentication` WHERE `username`='$desired_username'")))) {
//no records for this user in the MySQL database
$usernamenotduplicate=TRUE;
}
else {
$usernamenotduplicate=FALSE;
}

//validate password

if (empty($desired_password)) {
$passwordnotempty=FALSE;
} else {
$passwordnotempty=TRUE;
}

if ((!(ctype_alnum($desired_password))) || ((strlen($desired_password)) < 8)) {
$passwordvalidate=FALSE;
} else {
$passwordvalidate=TRUE;
}

if ($desired_password==$desired_password1) {
$passwordmatch=TRUE;
} else {
$passwordmatch=FALSE;
}

if (($usernamenotempty==TRUE)
&& ($usernamevalidate==TRUE)
&& ($usernamenotduplicate==TRUE)
&& ($passwordnotempty==TRUE)
&& ($passwordmatch==TRUE)
&& ($passwordvalidate==TRUE)) {
//The username and password validation succeeds.

//Hash the password
//This is very important for security reasons because once the password has been compromised,
//The attacker cannot still get the plain text password equivalent without brute force.

function HashPassword($input)
{
//Credits: http://crackstation.net/hashing-security.html
//This is secure hashing the consist of strong hash algorithm sha 256 and using highly random salt
$salt = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM));
$hash = hash("sha256", $salt . $input);
$final = $salt . $hash;
return $final;
}

$hashedpassword= HashPassword($desired_password);

//Insert username and the hashed password to MySQL database

mysql_query("INSERT INTO `authentication` (`username`, `password`) VALUES ('$desired_username', '$hashedpassword')") or die(mysql_error());
//Send notification to webmaster
$message = "New member has just registered: $desired_username";
mail($email, $subject, $message, $from);
//redirect to login page
header(sprintf("Location: %s", $loginpage_url));
exit;
}
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Leads Dashboard</title>
<link href="css/style.css" rel="stylesheet" type="text/css" />
</head>

<body>
<div id="head-container">
  <div id="header">
    <h1><img src="Images/cl_header.png" width="1280" height="150" /></h1>
  </div>
</div>
<div id="content-container">
  <div id="content-container2">
    <div id="content-container3">
      <div id="content">
        <h1>Reports Dashboard</h1>
<!-- Start of registration form -->
<form action="<?php echo htmlentities($_SERVER['PHP_SELF']); ?>" method="POST">
Username: (<i>alphanumeric less than 12 characters</i>) <input type="text" class="<?php if (($usernamenotempty==FALSE) || ($usernamevalidate==FALSE) || ($usernamenotduplicate==FALSE))  echo "invalid"; ?>" id="desired_username" name="desired_username"><br /><br />
Password: (<i>alphanumeric greater than 8 characters</i>) <input name="desired_password" type="password" class="<?php if (($passwordnotempty==FALSE) || ($passwordmatch==FALSE) || ($passwordvalidate==FALSE)) echo "invalid"; ?>" id="desired_password" ><br /><br />
Type the password again: <input name="desired_password1" type="password" class="<?php if (($passwordnotempty==FALSE) || ($passwordmatch==FALSE) || ($passwordvalidate==FALSE)) echo "invalid"; ?>" id="desired_password1" ><br />
<br /><br />
<input type="submit" value="Register">
<br /><br />
<a href="index.php">Back to Homepage</a><br />
<!-- Display validation errors -->
<?php if ($usernamenotempty==FALSE) echo '<font color="red">You have entered an empty username.</font>'; ?><br />
<?php if ($usernamevalidate==FALSE) echo '<font color="red">Your username should be alphanumeric and less than 12 characters.</font>'; ?><br />
<?php if ($usernamenotduplicate==FALSE) echo '<font color="red">Please choose another username, your username is already used.</font>'; ?><br />
<?php if ($passwordnotempty==FALSE) echo '<font color="red">Your password is empty.</font>'; ?><br />
<?php if ($passwordmatch==FALSE) echo '<font color="red">Your password does not match.</font>'; ?><br />
<?php if ($passwordvalidate==FALSE) echo '<font color="red">Your password should be alphanumeric and greater 8 characters.</font>'; ?><br />
<br />
</form>
<!-- End of registration form -->
<p>&nbsp;</p>
      </div>
    </div>
  </div>
</div>
<div id="footer-container">
  <div id="footer">
    <div align="center">Mortgage Master Inc.
      409 Canal Street, Plantsville, CT 06479 • 860-716-1091 • CLang@mortgagemasterinc.com <br/>
      website powered by<br/>
      <a href="bkup/www.mbcinteractive.com">MBC Interactive</a></div>
  </div>
  </div>
</body>
</html>