// Copyright: Matthias Steffens and the file's // original author(s). // // This code is distributed in the hope that it will be useful, // but WITHOUT ANY WARRANTY. Please see the GNU General Public // License for more details. // // File: ./user_validation.php // Repository: $HeadURL: file:///svn/p/refbase/code/branches/bleeding-edge/user_validation.php $ // Author(s): Matthias Steffens // // Created: 16-Apr-02, 10:54 // Modified: $Date: 2017-04-13 02:00:18 +0000 (Thu, 13 Apr 2017) $ // $Author: karnesky $ // $Revision: 1416 $ // This script validates user data entered into the form that is provided by 'user_details.php'. // If validation succeeds, it INSERTs or UPDATEs a user and redirects to a receipt page; // if it fails, it creates error messages and these are later displayed by 'user_details.php'. // TODO: I18n // Incorporate some include files: include 'initialize/db.inc.php'; // 'db.inc.php' is included to hide username and password include 'includes/include.inc.php'; // include common functions include 'initialize/ini.inc.php'; // include common variables // -------------------------------------------------------------------- // START A SESSION: // call the 'start_session()' function (from 'include.inc.php') which will also read out available session variables: start_session(true); // -------------------------------------------------------------------- // Initialize preferred display language: // (note that 'locales.inc.php' has to be included *after* the call to the 'start_session()' function) include 'includes/locales.inc.php'; // include the locales // -------------------------------------------------------------------- // Clear any errors that might have been found previously: $errors = array(); // Write the (POST) form variables into an array: foreach($_POST as $varname => $value) $formVars[$varname] = $value; // $formVars[$varname] = trim(clean($value, 50)); // the use of the clean function would be more secure! // -------------------------------------------------------------------- // First of all, check if this script was called by something else than 'user_details.php': if (!preg_match("#/user_details\.php#i", $referer)) // variable '$referer' is globally defined in function 'start_session()' in 'include.inc.php' { // return an appropriate error message: $HeaderString = returnMsg($loc["Warning_InvalidCallToScript"] . " '" . scriptURL() . "'!", "warning", "strong", "HeaderString"); // functions 'returnMsg()' and 'scriptURL()' are defined in 'include.inc.php' header("Location: " . $referer); // redirect to calling page exit; // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> !EXIT! <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< } // -------------------------------------------------------------------- // (1) OPEN CONNECTION, (2) SELECT DATABASE connectToMySQLDatabase(); // function 'connectToMySQLDatabase()' is defined in 'include.inc.php' // -------------------------------------------------------------------- // Validate the First Name if (empty($formVars["firstName"])) // First name cannot be a null string $errors["firstName"] = "The first name field cannot be blank:"; // elseif (preg_match("/\(" . $adminLoginEmail . "\)$/", empty($formVars["firstName"])) // elseif (!preg_match("/^[a-z'-]*$/i", $formVars["firstName"])) // // First name cannot contain white space // $errors["firstName"] = "The first name can only contain alphabetic characters or \"-\" or \"'\":"; elseif (strlen($formVars["firstName"]) > 50) $errors["firstName"] = "The first name can be no longer than 50 characters:"; // Validate the Last Name if (empty($formVars["lastName"])) // the user's last name cannot be a null string $errors["lastName"] = "The last name field cannot be blank:"; elseif (strlen($formVars["lastName"]) > 50) $errors["lastName"] = "The last name can be no longer than 50 characters:"; // Validate the Institution if (strlen($formVars["institution"]) > 255) $errors["institution"] = "The institution name can be no longer than 255 characters:"; // Validate the Institutional Abbreviation if (empty($formVars["abbrevInstitution"])) // the institutional abbreviation cannot be a null string $errors["abbrevInstitution"] = "The institutional abbreviation field cannot be blank:"; elseif (strlen($formVars["abbrevInstitution"]) > 25) $errors["abbrevInstitution"] = "The institutional abbreviation can be no longer than 25 characters:"; // Validate the Corporate Institution if (strlen($formVars["corporateInstitution"]) > 255) $errors["corporateInstitution"] = "The corporate institution name can be no longer than 255 characters:"; // Validate the Address // if (empty($formVars["address1"]) && empty($formVars["address2"]) && empty($formVars["address3"])) // // all the fields of the address cannot be null // $errors["address"] = "You must supply at least one address line:"; // else // { if (strlen($formVars["address1"]) > 50) $errors["address1"] = "The address line 1 can be no longer than 50 characters:"; if (strlen($formVars["address2"]) > 50) $errors["address2"] = "The address line 2 can be no longer than 50 characters:"; if (strlen($formVars["address3"]) > 50) $errors["address3"] = "The address line 3 can be no longer than 50 characters:"; // } // Validate the City // if (empty($formVars["city"])) // // the user's city cannot be a null string // $errors["city"] = "You must supply a city:"; if (strlen($formVars["city"]) > 40) $errors["city"] = "The city can be no longer than 40 characters:"; // Validate State - any string less than 51 characters if (strlen($formVars["state"]) > 50) $errors["state"] = "The state can be no longer than 50 characters:"; // Validate Zip code // if (!preg_match("/^([0-9]{4,5})$/", $formVars["zipCode"])) // $errors["zipCode"] = "The zip code must be 4 or 5 digits in length:"; if (strlen($formVars["zipCode"]) > 25) $errors["zipCode"] = "The zip code can be no longer than 25 characters:"; // Validate Country if (strlen($formVars["country"]) > 40) $errors["country"] = "The country can be no longer than 40 characters:"; // Validate Phone if (strlen($formVars["phone"]) > 50) $errors["phone"] = "The phone number can be no longer than 50 characters:"; elseif (!empty($formVars["phone"]) && !preg_match("#^[0-9 /+-]+$#i", $formVars["phone"])) // '+49 431/600-1233' would be a valid format // The phone must match the above regular expression (i.e., it should only consist out of digits, the characters '/+-' and a space) $errors["phone"] = "The phone number must consist out of digits plus the optional characters '+/- ',\n\t\t
\n\t\te.g., '+49 431/600-1233' would be a valid format:"; // // Phone is optional, but if it is entered it must have correct format // $validPhoneExpr = "^([0-9]{2,3}[ ]?)?[0-9]{4}[ ]?[0-9]{4}$"; // if (!empty($formVars["phone"]) && !preg_match("/" . $validPhoneExpr . "/", $formVars["phone"])) // $errors["phone"] = "The phone number must be 8 digits in length, with an optional 2 or 3 digit area code:"; // Validate URL if (strlen($formVars["url"]) > 255) $errors["url"] = "The URL can be no longer than 255 characters:"; // Only validate email if this is an INSERT: // Validation is triggered for NEW USERS (visitors who aren't logged in) as well as the ADMIN // (the email field isn't shown to logged in non-admin-users anyhow) if (!isset($_SESSION['loginEmail']) | (isset($_SESSION['loginEmail']) && ($loginEmail == $adminLoginEmail) && ($_REQUEST['userID'] == ""))) { // Check syntax $validEmailExpr = "^[0-9a-z~!#$%&_-]([.]?[0-9a-z~!#$%&_-])*@[0-9a-z~!#$%&_-]([.]?[0-9a-z~!#$%&_-])*$"; if (empty($formVars["email"])) // the user's email cannot be a null string $errors["email"] = "You must supply an email address:"; elseif (!preg_match("/" . $validEmailExpr . "/i", $formVars["email"])) // The email must match the above regular expression $errors["email"] = "The email address must be in the name@domain format:"; elseif (strlen($formVars["email"]) > 50) // The length cannot exceed 50 characters $errors["email"] = "The email address can be no longer than 50 characters:"; // elseif (!(getmxrr(substr(strstr($formVars["email"], '@'), 1), $temp)) || checkdnsrr(gethostbyname(substr(strstr($formVars["email"], '@'), 1)), "ANY")) // // There must be a Domain Name Server (DNS) record for the domain name // $errors["email"] = "The domain does not exist:"; else // Check if the email address is already in use in the database: { $query = "SELECT * FROM $tableAuth WHERE email = " . quote_smart($formVars["email"]); // CONSTRUCT SQL QUERY // (3) RUN the query on the database through the connection: $result = queryMySQLDatabase($query); // function 'queryMySQLDatabase()' is defined in 'include.inc.php' if (mysqli_num_rows($result) == 1) // (4) Interpret query result: Is it taken? $errors["email"] = "A user already exists with this email address as login name.\n\t\t
\n\t\tPlease enter a different one:"; } } // If this was an INSERT, we do not allow the password field to be blank: // Validation is triggered for NEW USERS (visitors who aren't logged in) as well as the ADMIN if (!isset($_SESSION['loginEmail']) | (isset($_SESSION['loginEmail']) && ($loginEmail == $adminLoginEmail) && ($_REQUEST['userID'] == ""))) if (empty($formVars["loginPassword"])) // Password cannot be a null string $errors["loginPassword"] = "The password field cannot be blank:"; if ($formVars["loginPassword"] != $formVars["loginPasswordRetyped"]) $errors["loginPassword"] = "You typed two different passwords! Please make sure\n\t\t
\n\t\tthat you type your password correctly:"; elseif (strlen($formVars["loginPassword"]) > 15) $errors["loginPassword"] = "The password can be no longer than 15 characters:"; // alternatively, only validate password if it's length is between 6 and 8 characters // elseif (!isset($_SESSION['loginEmail']) && (strlen($formVars["loginPassword"]) < 6 || strlen($formVars["loginPassword"] > 8))) // $errors["loginPassword"] = "The password must be between 6 and 8 characters in length:"; // -------------------------------------------------------------------- // Now the script has finished the validation, check if there were any errors: if (count($errors) > 0) { // Write back session variables: saveSessionVariable("errors", $errors); // function 'saveSessionVariable()' is defined in 'include.inc.php' saveSessionVariable("formVars", $formVars); // There are errors. Relocate back to the client form: header("Location: user_details.php?userID=" . $_REQUEST['userID']); // 'userID' got included as hidden form tag by 'user_details.php' (for new users 'userID' will be empty but will get ignored by 'INSERT...' anyhow) exit; // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> !EXIT! <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< } // -------------------------------------------------------------------- // If we made it here, then the data is valid! // CONSTRUCT SQL QUERY: // First, setup some required variables: // Get the current date (e.g. '2003-12-31'), time (e.g. '23:59:49') and user name & email address (e.g. 'Matthias Steffens (refbase@extracts.de)'): list ($currentDate, $currentTime, $currentUser) = getCurrentDateTimeUser(); // function 'getCurrentDateTimeUser()' is defined in 'include.inc.php' // If a user is logged in and has submitted 'user_details.php' with a 'userID' parameter: // (while the admin has no restrictions, a normal user can only submit 'user_details.php' with his own 'userID' as parameter!) if (isset($_SESSION['loginEmail']) && ($_REQUEST['userID'] != "")) // -> perform an update: { if ($loginEmail != $adminLoginEmail) // if not admin logged in $userID = getUserID($loginEmail); // Get the 'user_id' using 'loginEmail' (function 'getUserID()' is defined in 'include.inc.php') else // if the admin is logged in he should be able to make any changes to account data of _other_ users... $userID = $_REQUEST['userID']; // ...in this case we accept 'userID' from the GET/POST request (it got included as hidden form tag by 'user_details.php') // UPDATE - construct a query to update the relevant record $query = "UPDATE $tableUsers SET " . "first_name = " . quote_smart($formVars["firstName"]) . ", last_name = " . quote_smart($formVars["lastName"]) . ", title = " . quote_smart($formVars["title"]) . ", institution = " . quote_smart($formVars["institution"]) . ", abbrev_institution = " . quote_smart($formVars["abbrevInstitution"]) . ", corporate_institution = " . quote_smart($formVars["corporateInstitution"]) . ", address_line_1 = " . quote_smart($formVars["address1"]) . ", address_line_2 = " . quote_smart($formVars["address2"]) . ", address_line_3 = " . quote_smart($formVars["address3"]) . ", zip_code = " . quote_smart($formVars["zipCode"]) . ", city = " . quote_smart($formVars["city"]) . ", state = " . quote_smart($formVars["state"]) . ", country = " . quote_smart($formVars["country"]) . ", phone = " . quote_smart($formVars["phone"]) . ", url = " . quote_smart($formVars["url"]); if (isset($_SESSION['loginEmail']) && ($loginEmail == $adminLoginEmail)) { $query .= ", keywords = " . quote_smart($formVars["keywords"]) . ", notes = " . quote_smart($formVars["notes"]) . ", marked = " . quote_smart($formVars["marked"]); } if (isset($_SESSION['loginEmail'])) $query .= ", modified_by = " . quote_smart($currentUser); $query .= ", modified_date = " . quote_smart($currentDate) . ", modified_time = " . quote_smart($currentTime); $query .= " WHERE user_id = " . quote_smart($userID); } // If an authorized user uses 'user_details.php' to add a new user (-> 'userID' is empty!): // INSERTs are allowed to: // 1. EVERYONE who's not logged in (but ONLY if variable '$addNewUsers' in 'ini.inc.php' is set to "everyone"!) // (Note that this feature is actually only meant to add the very first user to the users table. // After you've done so, it is highly recommended to change the value of '$addNewUsers' to 'admin'!) // -or- 2. the ADMIN only (if variable '$addNewUsers' in 'ini.inc.php' is set to "admin") elseif ((!isset($_SESSION['loginEmail']) && ($addNewUsers == "everyone") && ($_REQUEST['userID'] == "")) | (isset($_SESSION['loginEmail']) && ($loginEmail == $adminLoginEmail) && ($_REQUEST['userID'] == ""))) // -> perform an insert: { // INSERT - construct a query to add data as new record $query = "INSERT INTO $tableUsers SET " . "first_name = " . quote_smart($formVars["firstName"]) . ", last_name = " . quote_smart($formVars["lastName"]) . ", title = " . quote_smart($formVars["title"]) . ", institution = " . quote_smart($formVars["institution"]) . ", abbrev_institution = " . quote_smart($formVars["abbrevInstitution"]) . ", corporate_institution = " . quote_smart($formVars["corporateInstitution"]) . ", address_line_1 = " . quote_smart($formVars["address1"]) . ", address_line_2 = " . quote_smart($formVars["address2"]) . ", address_line_3 = " . quote_smart($formVars["address3"]) . ", zip_code = " . quote_smart($formVars["zipCode"]) . ", city = " . quote_smart($formVars["city"]) . ", state = " . quote_smart($formVars["state"]) . ", country = " . quote_smart($formVars["country"]) . ", phone = " . quote_smart($formVars["phone"]) . ", url = " . quote_smart($formVars["url"]); if (isset($_SESSION['loginEmail']) && ($loginEmail == $adminLoginEmail)) { $query .= ", keywords = " . quote_smart($formVars["keywords"]) . ", notes = " . quote_smart($formVars["notes"]) . ", marked = " . quote_smart($formVars["marked"]); } $query .= ", email = " . quote_smart($formVars["email"]); if (isset($_SESSION['loginEmail'])) $query .= ", created_by = " . quote_smart($currentUser); $query .= ", created_date = " . quote_smart($currentDate) . ", created_time = " . quote_smart($currentTime); if (isset($_SESSION['loginEmail'])) $query .= ", modified_by = " . quote_smart($currentUser); $query .= ", modified_date = " . quote_smart($currentDate) . ", modified_time = " . quote_smart($currentTime); $query .= ", language = \"" . $defaultLanguage . "\"" // '$defaultLanguage' is defined in 'ini.inc.php' (the language setting can be changed by the user in 'user_options.php') . ", last_login = NOW()" // set 'last_login' field to the current date & time in 'DATETIME' format (which is 'YYYY-MM-DD HH:MM:SS', e.g.: '2003-12-31 23:45:59') . ", logins = 1 "; // set the number of logins to 1 (so that any subsequent login attempt can be counted correctly) } // if '$addNewUsers' is set to 'admin': MAIL feedback to new user & send data to admin for approval: // no user is logged in (since 'user_details.php' cannot be called w/o a 'userID' by a logged in user, // 'user_details.php' must have been submitted by a NEW user!) elseif ($addNewUsers == "admin" && ($_REQUEST['userID'] == "")) { // First, we have to query for the proper admin name, so that we can include this name within the emails: $query = "SELECT first_name, last_name FROM $tableUsers WHERE email = " . quote_smart($adminLoginEmail); // CONSTRUCT SQL QUERY ('$adminLoginEmail' is specified in 'ini.inc.php') // (3a) RUN the query on the database through the connection: $result = queryMySQLDatabase($query); // function 'queryMySQLDatabase()' is defined in 'include.inc.php' $row = mysqli_fetch_array($result); // (3b) EXTRACT results: fetch the current row into the array $row // 1) Mail feedback to user, i.e., send the person who wants to be added as new user a notification email: $emailRecipient = $formVars["firstName"] . " " . $formVars["lastName"] . " <" . $formVars["email"] . ">"; $emailSubject = "Your request to participate at the " . $officialDatabaseName; // ('$officialDatabaseName' is specified in 'ini.inc.php') $emailBody = "Dear " . $formVars["firstName"] . " " . $formVars["lastName"] . "," . "\n\nthanks for your interest in the " . $officialDatabaseName . "!" . "\nThe data you provided have been sent to our database admin." . "\nWe'll process your request and mail back to you as soon as we can." . "\n\n--" . "\n" . $databaseBaseURL . "index.php"; // ('$databaseBaseURL' is specified in 'ini.inc.php') sendEmail($emailRecipient, $emailSubject, $emailBody); // 2) Send user data to admin for approval: $emailRecipient = $row["first_name"] . " " . $row["last_name"] . " <" . $adminLoginEmail . ">"; // ('$adminLoginEmail' is specified in 'ini.inc.php') $emailSubject = "User request to participate at the " . $officialDatabaseName; // ('$officialDatabaseName' is specified in 'ini.inc.php') $emailBody = "Dear " . $row["first_name"] . " " . $row["last_name"] . "," . "\n\nsomebody wants to join the " . $officialDatabaseName . ":" . "\n\n" . $formVars["firstName"] . " " . $formVars["lastName"] . " (" . $formVars["abbrevInstitution"] . ") submitted the form at" . "\n\n <" . $databaseBaseURL . "user_details.php>" . "\n\nwith the data below:" . "\n\n first name: " . $formVars["firstName"] . "\n last name: " . $formVars["lastName"] . "\n institution: " . $formVars["institution"] . "\n institutional abbreviation: " . $formVars["abbrevInstitution"] . "\n corporate institution: " . $formVars["corporateInstitution"] . "\n address line 1: " . $formVars["address1"] . "\n address line 2: " . $formVars["address2"] . "\n address line 3: " . $formVars["address3"] . "\n zip code: " . $formVars["zipCode"] . "\n city: " . $formVars["city"] . "\n state: " . $formVars["state"] . "\n country: " . $formVars["country"] . "\n phone: " . $formVars["phone"] . "\n url: " . $formVars["url"] . "\n email: " . $formVars["email"] . "\n password: " . $formVars["loginPassword"] . "\n\nPlease contact " . $formVars["firstName"] . " " . $formVars["lastName"] . " to approve the request." . "\n\n--" . "\n" . $databaseBaseURL . "index.php"; // ('$databaseBaseURL' is specified in 'ini.inc.php') sendEmail($emailRecipient, $emailSubject, $emailBody); header("Location: user_receipt.php?userID=-1"); // Note: we use the non-existing user ID '-1' as trigger to show the email notification receipt page (instead of the standard receipt page) exit; // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> !EXIT! <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< } // -------------------------------------------------------------------- // (3) RUN the query on the database through the connection: $result = queryMySQLDatabase($query); // function 'queryMySQLDatabase()' is defined in 'include.inc.php' // ---------------------------------------------- // If this was an UPDATE - we save possible name changes to the session file (so that this new user name can be displayed by the 'showLogin()' function): if (isset($_SESSION['loginEmail']) && ($_REQUEST['userID'] != "")) { // We only save name changes if a normal user is logged in -OR- the admin is logged in AND the updated user data are his own! // (We have to account for that the admin is allowed to view and edit account data from other users) if (($loginEmail != $adminLoginEmail) | (($loginEmail == $adminLoginEmail) && ($userID == getUserID($loginEmail)))) { $loginFirstName = $formVars["firstName"]; $loginLastName = $formVars["lastName"]; } // If the user provided a new password, we need to UPDATE also the 'auth' table (which contains the login credentials for each user): if ($formVars["loginPassword"] != "") // a new password was provided by the user... { // Use the first two characters of the email as a salt for the password // Note: The user's email is NOT included as a regular form field for UPDATEs. To make it available as 'salt' // the user's email gets included as a hidden form tag by 'user_details.php'! $salt = substr($formVars["email"], 0, 2); // Create the encrypted password $stored_password = crypt($formVars["loginPassword"], $salt); // Update the user's password within the auth table $query = "UPDATE $tableAuth SET " . "password = " . quote_smart($stored_password) . " WHERE user_id = " . quote_smart($userID); $result = queryMySQLDatabase($query); // function 'queryMySQLDatabase()' is defined in 'include.inc.php' } } // If this was an INSERT, we'll also need to INSERT into the 'auth' table (which contains the login credentials for each user) as well as into some 'user_*' tables: // INSERTs are allowed to: // 1. EVERYONE who's not logged in (but ONLY if variable '$addNewUsers' in 'ini.inc.php' is set to "everyone"!) // (Note that this feature is actually only meant to add the very first user to the users table. // After you've done so, it is highly recommended to change the value of '$addNewUsers' to 'admin'!) // -or- 2. the ADMIN only (if variable '$addNewUsers' in 'ini.inc.php' is set to "admin") elseif ((!isset($_SESSION['loginEmail']) && ($addNewUsers == "everyone") && ($_REQUEST['userID'] == "")) | (isset($_SESSION['loginEmail']) && ($loginEmail == $adminLoginEmail) && ($_REQUEST['userID'] == ""))) // -> perform an insert: { // Get the user id that was created $userID = @ mysqli_insert_id($connection); // Use the first two characters of the email as a salt for the password $salt = substr($formVars["email"], 0, 2); // Create the encrypted password $stored_password = crypt($formVars["loginPassword"], $salt); // Insert a new user into the auth table $queryArray[] = "INSERT INTO $tableAuth SET " . "user_id = " . quote_smart($userID) . ", " . "email = " . quote_smart($formVars["email"]) . ", " . "password = " . quote_smart($stored_password); // Insert a row for this new user into the 'user_permissions' table: $defaultUserPermissionsString = implode("\", \"", $defaultUserPermissions); // '$defaultUserPermissions' is defined in 'ini.inc.php' // TODO: quote_smart() $queryArray[] = "INSERT INTO $tableUserPermissions VALUES (NULL, " . $userID . ", \"" . $defaultUserPermissionsString . "\")"; // Note: Refbase lets you define default formats/styles/types in 'ini.inc.php' by their name (and not by ID numbers) which means that // the format/style/type names within the 'formats/styles/types' table must be unique! foreach($defaultUserExportFormats as $defaultUserExportFormat) { // get the 'format_id' for the record entry in table 'formats' whose 'format_name' matches that in '$defaultUserExportFormats' (defined in 'ini.inc.php'): $query = "SELECT format_id FROM $tableFormats WHERE format_name = " . quote_smart($defaultUserExportFormat) . " AND format_type = 'export'"; $result = queryMySQLDatabase($query); // function 'queryMySQLDatabase()' is defined in 'include.inc.php' $row = mysqli_fetch_array($result); // Insert a row with the found format ID for this new user into the 'user_formats' table: $queryArray[] = "INSERT INTO $tableUserFormats VALUES (NULL, " . quote_smart($row["format_id"]) . ", " . quote_smart($userID) . ", \"true\")"; } foreach($defaultUserCiteFormats as $defaultUserCiteFormat) { // get the 'format_id' for the record entry in table 'formats' whose 'format_name' matches that in '$defaultUserCiteFormats' (defined in 'ini.inc.php'): $query = "SELECT format_id FROM $tableFormats WHERE format_name = " . quote_smart($defaultUserCiteFormat) . " AND format_type = 'cite'"; $result = queryMySQLDatabase($query); // function 'queryMySQLDatabase()' is defined in 'include.inc.php' $row = mysqli_fetch_array($result); // Insert a row with the found format ID for this new user into the 'user_formats' table: $queryArray[] = "INSERT INTO $tableUserFormats VALUES (NULL, " . quote_smart($row["format_id"]) . ", " . quote_smart($userID) . ", \"true\")"; } foreach($defaultUserStyles as $defaultUserStyle) { // get the 'style_id' for the record entry in table 'styles' whose 'style_name' matches that in '$defaultUserStyles' (defined in 'ini.inc.php'): $query = "SELECT style_id FROM $tableStyles WHERE style_name = " . quote_smart($defaultUserStyle); $result = queryMySQLDatabase($query); // function 'queryMySQLDatabase()' is defined in 'include.inc.php' $row = mysqli_fetch_array($result); // Insert a row with the found style ID for this new user into the 'user_styles' table: $queryArray[] = "INSERT INTO $tableUserStyles VALUES (NULL, " . quote_smart($row["style_id"]) . ", " . quote_smart($userID) . ", \"true\")"; } foreach($defaultUserTypes as $defaultUserType) { // get the 'type_id' for the record entry in table 'types' whose 'type_name' matches that in '$defaultUserTypes' (defined in 'ini.inc.php'): $query = "SELECT type_id FROM $tableTypes WHERE type_name = " . quote_smart($defaultUserType); $result = queryMySQLDatabase($query); // function 'queryMySQLDatabase()' is defined in 'include.inc.php' $row = mysqli_fetch_array($result); // Insert a row with the found type ID for this new user into the 'user_types' table: $queryArray[] = "INSERT INTO $tableUserTypes VALUES (NULL, " . quote_smart($row["type_id"]) . ", " . quote_smart($userID) . ", \"true\")"; } // Insert a row for this new user into the 'user_options' table: $defaultUserOptionsString = implode("\", \"", $defaultUserOptions); // '$defaultUserOptions' is defined in 'ini.inc.php' $defaultUserOptionsString = preg_replace('/""/', "NULL", $defaultUserOptionsString); // replace empty string with NULL // TODO: quote_smart() $queryArray[] = "INSERT INTO $tableUserOptions VALUES (NULL, " . $userID . ", \"" . $defaultUserOptionsString . "\")"; // RUN the queries on the database through the connection: foreach($queryArray as $query) $result = queryMySQLDatabase($query); // function 'queryMySQLDatabase()' is defined in 'include.inc.php' // if EVERYONE who's not logged in is able to add a new user (which is the case if the variable '$addNewUsers' in 'ini.inc.php' // is set to "everyone", see note above!), then we have to make sure that this visitor gets logged into his new // account - otherwise the following receipt page ('users_receipt.php') will generate an error: if (!isset($_SESSION['loginEmail']) && ($addNewUsers == "everyone") && ($_REQUEST['userID'] == "")) { // Log the user into his new account by assigning his information to // those variables that will be written to the '$_SESSION' variable below: $loginEmail = $formVars["email"]; $loginUserID = $userID; $loginFirstName = $formVars["firstName"]; $loginLastName = $formVars["lastName"]; $abbrevInstitution = $formVars["abbrevInstitution"]; $lastLogin = date('Y-m-d H:i:s'); // use the current date & time // Get the user permissions for the newly created user // and save all allowed user actions as semicolon-delimited string to the session variable 'user_permissions': getPermissions($userID, "user", true); // function 'getPermissions()' is defined in 'include.inc.php' } } // Write back session variables: saveSessionVariable("loginEmail", $loginEmail); // function 'saveSessionVariable()' is defined in 'include.inc.php' saveSessionVariable("loginUserID", $loginUserID); saveSessionVariable("loginFirstName", $loginFirstName); saveSessionVariable("loginLastName", $loginLastName); saveSessionVariable("abbrevInstitution", $abbrevInstitution); saveSessionVariable("lastLogin", $lastLogin); // If an authorized user uses 'user_details.php' to add a new user (-> 'userID' is empty!): if ((!isset($_SESSION['loginEmail']) && ($addNewUsers == "everyone") && ($_REQUEST['userID'] == "")) | (isset($_SESSION['loginEmail']) && ($loginEmail == $adminLoginEmail) && ($_REQUEST['userID'] == ""))) { saveSessionVariable("userLanguage", $defaultLanguage); // '$defaultLanguage' is defined in 'ini.inc.php' saveSessionVariable("userRecordsPerPage", $defaultUserOptions['records_per_page']); // '$defaultUserOptions' is defined in 'ini.inc.php' saveSessionVariable("userAutoCompletions", $defaultUserOptions['show_auto_completions']); saveSessionVariable("userMainFields", $defaultUserOptions['main_fields']); } // Get all user groups specified by the current user // and (if some groups were found) save them as semicolon-delimited string to the session variable 'userGroups': getUserGroups($tableUserData, $loginUserID); // function 'getUserGroups()' is defined in 'include.inc.php' if ($loginEmail == $adminLoginEmail) // ('$adminLoginEmail' is specified in 'ini.inc.php') // Get all user groups specified by the admin // and (if some groups were found) save them as semicolon-delimited string to the session variable 'adminUserGroups': getUserGroups($tableUsers, $loginUserID); // function 'getUserGroups()' is defined in 'include.inc.php' // Similarly, get all queries that were saved previously by the current user // and (if some queries were found) save them as semicolon-delimited string to the session variable 'userQueries': getUserQueries($loginUserID); // function 'getUserQueries()' is defined in 'include.inc.php' // Clear the 'errors' and 'formVars' session variables so a future

is blank: deleteSessionVariable("errors"); // function 'deleteSessionVariable()' is defined in 'include.inc.php' deleteSessionVariable("formVars"); // ---------------------------------------------- // (4) Now show the user RECEIPT: header("Location: user_receipt.php?userID=$userID"); // (5) CLOSE the database connection: disconnectFromMySQLDatabase(); // function 'disconnectFromMySQLDatabase()' is defined in 'include.inc.php' // -------------------------------------------------------------------- ?>