Objective: Use PHP MySQL and HTML skills to create a working bulletin board. Registers users, then registered users can post messages to other users and can read messages posed by other users.

Put files in public_html/bb folder on weblab.

Don't forget real_escape_string(), htmlspecialchars(), etc wherever they are needed.

Database tables - write a create.mysql to create your database tables. You probably should put DROP TABLES IF EXISTS commands at the top as most likely it won't work first time. Or you can use http://weblab.salemstate.edu/phpmyadmin (use your mysql username and password to log in).

 Users - one record per user registered in system CREATE TABLE Users ( u_userid INTEGER UNSIGNED PRIMARY KEY AUTO_INCREMENT, u_username VARCHAR(60), u_passhash VARCHAR(40), u_emailaddr VARCHAR(255), u_created INTEGER UNSIGNED, /*containing integer from time()*/ u_lastlogin INTEGER UNSIGNED, /*containing integer from time()*/ u_validate VARCHAR(20), UNIQUE KEY (u_username), UNIQUE KEY (u_emailaddr) ); Messages - one record per message sent CREATE TABLE Messages ( m_msgid INTEGER UNSIGNED PRIMARY KEY AUTO_INCREMENT, m_fromid INTEGER UNSIGNED, /*references u_userid*/ m_sent INTEGER UNSIGNED, /*containing integer from time()*/ m_subject VARCHAR(80), m_text TEXT ); SendTos - one record per message sent per user sent to (many-to-many) CREATE TABLE SendTos ( s_sendid INTEGER UNSIGNED PRIMARY KEY AUTO_INCREMENT, s_msgid INTEGER UNSIGNED, /*references m_msgid*/ s_toid INTEGER UNSIGNED, /*references u_userid*/ s_readit INTEGER UNSIGNED, /*containing integer from time()*/ KEY (s_msgid), KEY (s_toid) ); 

Web pages - here are the web page files you should create. Note that it is up to you to decide what url variables are needed for the .php scripts and whether to use GET or POST method.

 - makes sure the message was sent to the user who is logged in to prevent spying on someone else's messages - displays a single message says who from, when they sent it, subject, message 

index.html

 - has links to login and register pages login.html register.html 

register.html

 - display form with boxes for username, password, email address - also has a register button that links to register.php 

register.php

 - gets values from the register.html form, username, password and email address - validates that username has only valid characters just allow letters and numbers - validates that username is not already registerd - writes entry to database Users table: u_userid gets filled in automatically by database u_username what they entered on form u_passhash see below u_emailaddr what they entered on form u_created current time from time() function u_lastlogin 0 u_validate see below u_passhash must be a password hash created with something like: // create password hash // input: // password = password string entered by user // output: // returns password hash string to write to database function passhash ($password) { $salt = base64_encode (openssl_random_pseudo_bytes (17)); $salt = '$2y$07$' . str_replace ('+', '.', substr ($salt, 0, 22)); $hash = crypt ($password, $salt); return $hash; } it is safe to assume $hash does not have to be real_escape_string()d before writing to database as we create it with crypt() so it will not have any sql injection. u_validate contains random string for validation, you can use base64_encode() and openssl_random_pseudo_bytes() to generate this string just like the $salt string created in the passhash() function above. but do not use the same string, create a separate one for best security. - sends verification email with link to verification.php that looks something like: http://weblab.salemstate.edu/~S1234567/bb/verification.php ?userid=$userid&validate=$validate ...where $userid is the u_userid field from the user record just written and $validate is the random string just written to the u_validate field. you will have to pass $validate through the php urlencode() function before putting it in the email message so it gets the proper escapes or it might not work. 

verification.php

 - get the userid and validate strings from the URL using $_GET - checks the userid and validation code in database if u_validate doesn't match, don't accept the verification - unlocks logins if correct by clearing the u_validate field just do a MySQL UPDATE command to set u_validate='' for that one user - displays a link to the login.html page 

login.html

 - display form with username and password boxes - the form should have a 'Log In' button that links to login.php 

login.php

 - get the username and password entered on the login.php form - checks username and password. if username not found or password doesn't match, die with an error message. it must also test that u_validate is blank meaning they have validated their email. You can put this function at the bottom of your database.php file to check password hash: // test the supplied password against database password // input: // password = password entered on form // passhash = hash string from database // output: // returns TRUE iff password matches passhash function passtest ($password, $passhash) { if (strpos ($passhash, '$2y$07$') !== 0) return FALSE; $salt = substr ($passhash, 0, 29); $hash = crypt ($password, $salt); return $hash == $passhash; } If the username is found and the password is good and the u_validate column is blank, create a session using the start_session() function and the $_SESSION[] array. Note: The start_session() call must be made before any html code or anything is echoed by the php script. So it is best to put it at the very top of the .php file like this without any blank lines or spaces before it:  ...otherwise it will not be able to set up the PHPSESSIONID cookie. - next, display list of incoming messages show From username, Sent date/time, Subject each message subject should be an html link to display the message, ie, link to display.php ...you will need to decide what to put on the link to get the selected message to display. if you don't know, just leave them off for now and then when you do the display.php form, figure out what you need to know in order to make display.php work. - also displays a link to send new message (links to newmessage.php) 

newmessage.php

 - verify that someone is logged in by checking that $_SESSION['userid'] is a non-zero integer. don't forget to put session_start() at the very top of the script. - displays form asking: - who to send to (list of checkboxes) - subject - message (textarea) - button that says 'Send' that links to send.php 

send.php

 - verify who is logged in as the sender - write message to database (Messages table) and who all it is being sent to (one record in SendTos for each checkbox checked) - display success message eg, "message successfully sent" 

display.php

other php require files as desired (such as database.php)