Source of: /ADI/auth-db-sessions/signup_action_smarty.php

<?php
include_once 'db.php';
include 'model.php';

// Connect to database
$db = dbconnect($hostname,$db_name,$db_user,$db_passwd);

session_start();

// CSRF safeguard, expected origin URL: $_SERVER['HTTP_REFERER'] = 'http://intranet.deei.fct.ualg.pt/DAW/auth-db-sessions/signup_smarty.php'   
/*
$match=preg_match("/\/DAW\/auth-db-sessions\/signup_smarty.php$/", $_SERVER['HTTP_REFERER']);
if(!$match) {
   header("Location: index_smarty.php");
       exit;
}
*/


if(isset($_POST['reset'])) {
  // Display the user signup form
  unset($_SESSION['newname']);
  unset($_SESSION['newemail']);
  unset($_SESSION['newnotes']);
  header("Location: signup_smarty.php");
  exit;
}
// very simple CSRF safeguard ... code above is better!
if(!isset($_POST['submitok'])) {
  // Display the user signup form
  header("Location: index_smarty.php");
  exit;
}
else {
  // Process signup submission
  // simple input validation
  if( $_POST['newid']    == '' or !preg_match("/^[0-9]+$/", $_POST['newid']) or
     $_POST['newname']  == '' or !preg_match("/^[a-zA-Z\s]*$/", $_POST['newname']) or
     $_POST['newemail'] == '' or !preg_match("/^\w+([\.-]?\w+)*@\w+([\.-]?\w+)*(\.\w{2,3})+$/", $_POST['newemail']) ) {
     $_SESSION['newid'] = $_POST['newid'];
     $_SESSION['newname'] = $_POST['newname'];
     $_SESSION['newemail'] = $_POST['newemail'];
     $_SESSION['newnotes'] = $_POST['newnotes'];
     header("Location: signup_smarty.php?m=1");   
     exit;
  }
    
 
 
  
  // Check for existing user

  $user_exists = check_if_user_exists($db,$_POST['newid']);


  if($user_exists) {
     // fail: user already exists in database
     $_SESSION['newemail'] = $_POST['newemail'];
     $_SESSION['newname'] = $_POST['newname'];
     $_SESSION['newnotes'] = $_POST['newnotes'];
     header("Location: signup_smarty.php?m=2");
     exit;
  }
    
  // success: register new user
 
  register_user($db,$_POST['newid'],$_POST['newname'],$_POST['newemail'],$_POST['newnotes']);


/* email deactivated to avoid fake emails
  // Email the new password to the person.
  $message = "Hello

Your personal account for the Project Web Site
has been created!

Your personal login ID and password are as
follows:

   userid: $_POST['newid']
   password: $password

- Figo
";

mail($_POST['newemail'],"Your Password for the Website",
       $message, "From:Figo <figo@deei.fct.ualg.pt>");
*/ 
  $_SESSION['message_type'] = 1;
  header("Location: message_smarty.php");     

}
?>