This application features: Login, Registration, Password Reset, Lost User Name, Lost Activation, Role based Page Security, User Profiles, Complete User Account/Credentials Management Back-End, Plus ++ Bonus Addons: File Explorer, Data Driven Menu System – that can be used as a PHP /MySQL Website Starter Kit or as an integrated application in your already existing site with all the page security and user management features already built in.
It is a feature rich user management application that is easy to implement and takes care of all the basics to save you time and allow you to focus on what's important. Use it as a template to start your next new project or add it to your existing site to provide Out-Of-The-Box Security, User Management features and so much more…
This application requires PHP 5.2.x or above on Linux and 5.3.x or above on Windows Server. PHP 5.2 will suffice on Windows but some functionality will not be available.
The file download is a ZIP file. So, unpack the file to your desktop. You will get a single folder called "psum", inside which you will find the application files. The file structure inside the unpacked folder should look something like the following image.
First things first... If you haven't created a MySQL database before, you can follow the instructions below. Create a new empty database in your hosting control panel and run the provided dbpsum.sql script on it to create all the database tables provided with this application.
This file stores some global settings that are used throughout the application. Everything here is simple, self explanatory and straight forward. They are created to make programming easier, to avoid redundancy and to give you the convenience to turn features ON/OFF. If we need to change some values or turn features ON/OFF, we can do it all in one place rather than having to update a bunch of files. THE ONLY THING YOU HAVE TO CHANGE HERE IS YOUR EMAIL ADDRESS SO THE APPLICATION KNOWS WHERE TO SEND THE EMAILS WHEN REQUIRED.
At the time of this writing, there are 24 plus groups of settings that can be edited. The following sections below highlight a few important ones.
Securing the pages you will create is very simple. You simply insert a PHP snippet at the top of each of your PHP pages that you wish to protect. Once the snippet is in place, you can define the role or roles that are allowed to access the page. User Roles can be created in the admin panel. Let's take a look at how the snippet works:
<?php
//------------------------------------------------------------
// RESTRICT ACCESS TO PAGE
//------------------------------------------------------------
require_once('web.config.php');
require_once(ROOT_PATH.'global.php');
$auth_roles = array('owner','superadmin','etc.'); // << add roles here
//$premium_on = 1; $premium_access_levels = array('1','2');// << add premium access levels here
require_once(ROOT_PATH.'modules/authorization/auth.php');
?>
It is highly recommended that you include the owner role in all protected pages because access is strictly restricted to the defined roles on each protected page. This ensures that the owner of the site has the highest privileges and can access any page. However, if the naming conventions of the default roles do not suffice, you can create your own roles and hierarchy in the admin panel and use them accordingly in your protected pages. Please note that while the use of the default roles are not mandatory, they are protected by the application and delete requests are simply ignored - just in case you need them later and wish you did not delete them.
There are no limits to the number of roles and no limits on how many roles a user is in. The application logic is very flexible and it is entirely up to you how you use them. The only thing you need to remember is that whatever role(s) is/are present in your code snippet, users in those roles are permitted to view the page. That's it!
If you want to take advantage of the recaptcha modules that are built in to the Login, Registration, Password Reset and Lost Activation modules, it is highly recommended that you register an account and create your own public and private keys. You can go here http://www.google.com/recaptcha to do all of that. I have included a generic set of keys so you can test the application without having to mess with it but it is not secure since everyone who downloads the application will have the same pair of keys. So, please make sure you DON'T forget!
Recaptcha adds an extra layer of security to your application and it is highly recommended. However, if you do not wish to use it on your Login and Registration pages, you can turn them off in the web.config.php file. Simply set the value to zero (0). To turn it back on, set the value back to one (1). Here is a visual to help you along:
This app was built with simple event driven programming so the code is easy to understand and edit even if you are a beginning / junior PHP developer.
There are lots of files - only because I tried to break out and isulate every distinct functionality to make finding and editing code as easy as possible. Once you've become familiar with the basic organization, it will be a breez to make edits and modifications.
The actual files that are viewed in the browser, only contain include files to keep things clean and organized. All code files are located and organized in the "modules" folders. One for each major section of the site. There is a "modules" folder in the site root, "admin" section, user "folder" and another one in the "feedback" folder. Each "modules" folder also contains an ".htacces" file that prevents direct access to these code files. They can only be used as include files within the application. Here is a visual to help you along.
As you can see, the control directories are pretty srtraight forward and just about explain themselves. Each directory is named after the functionality it's files perform. The PHP files inside them are also organized the same easy to follow way based on nothing more than common sense...or so is my hope. This allows you, hopefully, to quickly explore and find the code you're looking for.
The administrator of the site, within the admin panel, can create an unlimited number of subscription categories, each with an unlimited number of subcategories (rates).
This section comprises of four main categories:
The PayPal IPN file of this application automates the process of Premium Subscriptions. It handles all the transactions sent by PayPal and verifies and double checks all incoming information and it is safe against all fradulent submissions. Fradulent submissions as well as failed transactions are recorded in the database, flagged, and an alert email is sent to the site administrator with the transaction details as well as the full raw data stream captured by the IPN.
//------------------------------------------------------------ // comment out if output_buffering is already ON //------------------------------------------------------------ ob_start();
If output_buffering is already turned on for your hosting account, you can comment this out. Leaving it ON however will not do anything bad so if you don't want to bother with it you don't have to.
//------------------------------------------------------------
// turn off magic quotes
//------------------------------------------------------------
//ini_set('magic_quotes_gpc', 0); // 1=on 0=off
If magic quotes are not already turned off in php.ini, you can uncomment this line and it will turn it off for you. By default, this line is commented out because ordinarily this is not an issue.
//------------------------------------------------------------
// instantiate sessions
//------------------------------------------------------------
if(!isset($_SESSION)){
session_start();
}
This just instantiates the PHP sessions so the application can function properly.
//------------------------------------------------------------
// 0. WARN IF IE IS LESS THAN version 9.0
//------------------------------------------------------------
define('DETECT_IE', 1); // 1=Yes 0=No
This can be turned OFF by setting the value to 0 (zero). The CSS code (styling) of this script uses a lot of CSS3 which is poorly supported by Internet Explorer older than version 9. The above configuration displays a banner on top of the page to inform the user that their browser is out of date.
// ------------------------------------------------------------
// 1. ROOT PATH FOR INCLUDE FILES
// ------------------------------------------------------------
define('ROOT_PATH', $_SERVER['DOCUMENT_ROOT'].'/psum/'); // psum is subdirectory
This code establishes the root path for the site so all files know where they are located and can perform their functions properly. It is used to include code files. The code shown above basically says -I am located at: http://www.your-domain-name.com/psum/. It is looking for the psum folder under the domain it is running under. You can change the name of the psum folder by renaming it and then changing all references to it here in the configuration file. So if you renamed the psum folder to xyz, you would replace all occurances of psum with xyz.
// ------------------------------------------------------------
// 2. WEBSITE ADDRESS
// ------------------------------------------------------------
function siteURL()
{
$protocol = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off' || $_SERVER['SERVER_PORT'] == 443) ? "https://" : "http://";
$domainName = $_SERVER['HTTP_HOST'].'/'.'psum/'; // psum is subdirectory
return $protocol.$domainName;
}
define( 'SITE_URL', siteURL() );
This code establishes the site URL and carries out a similar functionality as described above. It is used mostly when including Jquery or image files.
// ------------------------------------------------------------
// 3. ACCOUNT ACTIVATION URL
// ------------------------------------------------------------
function verificationURL()
{
$protocol = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off' || $_SERVER['SERVER_PORT'] == 443) ? "https://" : "http://";
$domainName = $_SERVER['HTTP_HOST'].'/'.'psum/'; // psum is subdirectory
$pageName = 'account-activation.php';
return $protocol.$domainName.$pageName;
}
define( 'ACCOUNT_ACTIVATION_URL', verificationURL() );
The above code establishes the account activation URL / Location. After account registration, the new user is sent an account activation e-mail with confirmation and a link that they have to click to confirm their e-mail address and actually activate their account.
// ------------------------------------------------------------ // 4. DEFAULT LOGIN DESTINATION URL // ------------------------------------------------------------ // if USE_DEFAULT_LOGIN_DESTINATION is set to 1, all users will be // redirected to DEFAULT_LOGIN_DESTINATION_URL after login, accept // the users who's destination URL has been custom set in admin panel. define( 'USE_DEFAULT_LOGIN_DESTINATION', 0 ); // 1=On 0=Off define( 'DEFAULT_LOGIN_DESTINATION_URL', siteURL().'index.php' ); // global login destination
This configuration option allows the adminstrator to set the default login destination. If it is set to 1, the login destination will be whatever is defined in the second option. In the above code, the destination is set to the index.php file. You can set this to whatever you want as long as the page is located within the site. You can also set the login destination for individual users in the administration panel. This overrides the default destination set here in the configuration file for those users only.
// ------------------------------------------------------------ // 5. DEFAULT THEMES - CSS // ------------------------------------------------------------ define( 'SITE_STYLE', SITE_URL.'themes/default/default.css' ); // root files non IE define( 'ADMIN_STYLE', SITE_URL.'admin/themes/default/default.css' ); // admin files define( 'USER_STYLE', SITE_URL.'user/themes/default/default.css' ); // user area files define( 'USER_MENU_STYLE', SITE_URL.'user/themes/default/superfish.css' ); // user area files define( 'ACCORDION_STYLE', SITE_URL.'user/themes/default/accordion.css' ); // user area files define( 'FEEDBACK_STYLE', SITE_URL.'feedback/themes/default/default.css' ); // feedback form
The default theme locations are set here. If you know CSS, you create as many design as you want and modify the above code so it points to your CSS files.
// ------------------------------------------------------------ // 6. EMAIL ADDRESSES // ------------------------------------------------------------ define( 'NO_REPLY', 'hunzonian@gmail.com' ); define( 'GENERAL_CONTACT', 'hunzonian@gmail.com' ); define( 'BULK_MAIL_TO', 'hunzonian@gmail.com' );
This section is described in the setup above. The application uses lots of e-mail functionality throughout and needs to know who the e-mails are sent from.
// ------------------------------------------------------------ // 7. MINIMUM PASSWORD REQUIREMENTS // ------------------------------------------------------------ define( 'MIN_PASSWORD_LENGTH', 7 ); // set min length define( 'REQUIRE_NUMBER', 1 ); // 0=no 1=yes define( 'REQUIRE_SPECIAL_CHAR', 1 ); // 0=no 1=yes define( 'ALLOW_USERNAME_IN_PASS', 0 ); // 0=no 1=yes define( 'ALLOW_PW_STRENGTH_CHECK', 1 ); // 0=no 1=yes
This section allows you to set the password requirements for new account registrations. The options are self explanatory.
// ------------------------------------------------------------
// 8. APPROVE NEW ACCOUNT ON CREATION
// ------------------------------------------------------------
define('INSTANT_ACCOUNT_APPROVAL', 0); // 0=no 1=yes
define('BY_ADMIN_APPROVAL_ONLY', 0); // 0=no 1=yes
// notify admin on new registration
define('REGISTRATION_NOTIFICATION', 0); // 0=no 1=yes
// notify admin on account activation
define('ACTIVATION_NOTIFICATION', 0); // 0=no 1=yes
The above code provides an option to approve / activate accounts after the user clicks on the account activation link in the e-mail they get after registration or to activate accounts only by admin approval. The default configuration can be seen above. Both values are set to zero (0). This means that accounts are not approved upon creation (because the user has to click on the link sent in the verification e-mail), and admin approval is not required. To approve accounts upon creation without sending a verification e-mail, simply set the first value to 1. To allow the administrator(s) to approve all new accounts, simply set the second value to 1. You can also set the REGISTRATION_NOTIFICATION and ACTIVATION_NOTIFICATION options to send a notification email to the administrator.
// ------------------------------------------------------------
// 9. DEFAULT ROLES IN ORDER OF PRIORITY
// ------------------------------------------------------------
// owner = 1
// superadmin = 2
// admin = 3
// member = 4
// user = 5
define('DEFAULT_ROLE', "user");
define('DEFAULT_ROLE_ID', 5);
This code defines the default role used when a new registration occures and a new account is created. There is no limit on the number roles that can be created within the administration panel. The above 5 roles are already defined and are the defaults. Although you don't have to use them in the pages you create, the application won't allow you delete them.
// ------------------------------------------------------------
// 10. MAX NUMBER OF LOGIN ATTEMPTS BEFORE LOCKOUT
// ------------------------------------------------------------
define('MAX_LOGIN_ATTEMPT', 4);
define('LOCKOUT_DURATION', 5); // minutes
Here you can define the maximum number of Login attempts before lockout occures. If the user account name (user name actually exists in the database, then that account will be locked after the max. login attempt so no further abuse can occure. If the account(s) requested are random and or don't actually exist (the person or bot is just guessing), then lockout also occures but only with a cookie.
// ------------------------------------------------------------
// 11. AUTO LOGIN DURATION - Remember me cookie
// ------------------------------------------------------------
define('AUTO_LOGIN_DURATION', 1728000); // 20 days in seconds
If the user checks the "remember me" checkbox during login, an autologin cookie will be set for the duration specified above. As long as the cookie exists in the user's browser, he / she will be automatically logged in when visiting password restricted pages within the site. If the browser cache is cleared, the user will have to login again. The auto login duration can be set in the above code. 86400 seconds = 1 day. The default above is set for 20 days.
// ------------------------------------------------------------
// 12. GRIDVIEW DEFAULT PAGE SIZE
// ------------------------------------------------------------
define('GV_PAGE_SIZE', 10); // rows
Gridviews are used throughout the application to display data from the database. Each gridview allows record paging and displays a certain number of records each page. The default number per page is set to 10 above. You can change this number as you desire.
// ------------------------------------------------------------ // 13. RECAPTCHA KEYS - GET YOURS @ http://www.google.com/recaptcha // ------------------------------------------------------------ define( 'RECAPTCHA_PRIVATE_KEY', "xyz" ); define( 'RECAPTCHA_PUBLIC_KEY', "xyz" );
As mentioned above: If you want to take advantage of the recaptcha modules that are built in to the Login, Registration, Password Reset, Lost User Name, Lost Activation modules, it is highly recommended that you register an account and create your own public and private keys. You can go here http://www.google.com/recaptcha to do all of that. I have included a generic set of keys so you can test the application without having to mess with it but it is not secure since everyone who downloads the application will have the same pair of keys. So, please make sure you DON'T forget!
// ------------------------------------------------------------
// 14. ENABLE DISABLE CAPTCHA
// ------------------------------------------------------------
define('LOGIN_CAPTCHA_ON', 0); // 1=on 0=off
define('REGISTER_CAPTCHA_ON', 1); // 1=on 0=off
define('FEEDBACK_CAPTCHA_ON', 1); // 1=on 0=off
define('CAPTCHA_ON_X', 3); // turn captcha ON after x failure
This functionality allows you to disable the captcha control on the Login and Registration forms by default but have it auto activate after the set number of failed attempts. The default above is set to 3 tries. If on the third try the form submission is not successful, the captcha is automatically activated and displayed for successive tries.
// ------------------------------------------------------------
// 15. USER PROFILES
// ------------------------------------------------------------
define('ENABLE_USER_PROFILES', 1); // 1=yes 0=no
This functionality allows you to disable The user account section where registered users can edit their account information.
// ------------------------------------------------------------
// 16. AVATAR IMAGE FILE
// ------------------------------------------------------------
define('AVATAR_FILE_SIZE', 51200); // 50 Kb max. -> 1 kilobyte = 1024 bytes
define('AVATAR_FILE_DIRECTORY', ROOT_PATH.'user/upload/avatars/'); // upload directory
define('AVATAR_IMAGE_URL', SITE_URL.'user/upload/avatars/'); // default avatar url
define('DEFAULT_AVATAR_IMAGE', 'default-avatar.png'); // default avatar image
The above section defines the maximum file size, the directory where the avatar images are uploaded, the default avatar image and its location.
// ------------------------------------------------------------
// 17. UNIQUE VISITORS ONLINE COUNTER
// ------------------------------------------------------------
define('ENABLE_VISITOR_COUNT', 0); // 1=yes 0=no
define('LAST_X_MINUTES', 15); // counts number of visitors in last x minutes
This functionality allows you to enable / disable the visitors online counter and set the last number of minutes to count the number of current visitors.
// ------------------------------------------------------------
// 18. CONTACT FORM
// ------------------------------------------------------------
// company logo
define('COMPANY_LOGO_SIZE', 51200); // 50 Kb max. -> 1 kilobyte = 1024 bytes
define('COMPANY_LOGO_DIRECTORY', ROOT_PATH.'feedback/upload/'); // upload directory
define('COMPANY_LOGO_URL', SITE_URL.'feedback/upload/'); // default logo url
define('DEFAULT_COMPANY_LOGO', 'company.png'); // default logo image
// contact email form
define('MIN_FEEDBACK_LENGTH', 20); // min. text length
define('MAX_FEEDBACK_LENGTH', 1000); // max text length
define('MIN_FEEDBACK_WORDS', 3); // min number of words
The above settings allow you to configure some settings for the modal dialog based Contact / Feedback form included with this application. It can be used as a simple contact form or a sophisticated feedback system. Option categories and subcategories can be created within the amin panel.
// ------------------------------------------------------------
// 19. PREMIUM MEMBERSHIP
// ------------------------------------------------------------
// show/hide from users
define('ENABLE_PREMIUM_MEMBERSHIP', 1); // 1=yes 0=no
// show/hide in admin panel
define('HIDE_PREMIUM_MEMBERSHIP_IN_ADMIN', 0); // 1=yes 0=no
This option allows you to enable / disable the Premium Membership section both in the admin and user panel. Helpful if you don't require this functionality.
// ------------------------------------------------------------
// 20. SCHEDULED MAINTENANCE
// ------------------------------------------------------------
define('SCHEDULED_MAINTENANCE', 0); // 1=show 0=hide
define('UNDER_CONSTRUCTION_PAGE', SITE_URL.'maintenance.html');
If set to 1, all pages with this constant in their header will be redirected to the maintenance.html page. Useful to take the site temporarily offline. You can change the value of this url to point the redirect action to any page.
// ------------------------------------------------------------
// 21. SHOW / HIDE THE FOLLOWING MODULES
// ------------------------------------------------------------
define('SHOW_REGISTRATION', 1); // 1=yes 0=no
define('SHOW_PASSWORD_RESET', 1); // 1=yes 0=no
define('SHOW_LOST_USER_NAME', 1); // 1=yes 0=no
define('SHOW_RESEND_ACTIVATION', 1); // 1=yes 0=no
The code above allows you to enable / disable the registration, password reset, lost user name and resend activation modules.
// ------------------------------------------------------------
// 22. SHOW / HIDE ADMIN STICKY BUTTON BAR
// ------------------------------------------------------------
define('SHOW_STICKY_BAR', 1); // 1=yes 0=no
The sticky bar in the admin panel is an icon based navigation element linking to essential parts of the admin area. The above configuration option allows you to disable the sticky bar if you have no need for it.
// ------------------------------------------------------------
// 23. PROTECTED DOWNLOADS
// ------------------------------------------------------------
define('ENABLE_DOWNLOADS', 1);
define('DOWNLOAD_DIRECTORY', ROOT_PATH.'download/'); // protected download directory
define('MAX_UPLOAD_FILE_SIZE', 20971520); // 20 Mb max. -> 1 megabyte = 1048576 bytes
The above setting allows you to enable / disable the protected downloads section and allow you to configure the download directory location and maximum upload file size.
// ------------------------------------------------------------
// 24. ACCOUNT SHARING
// ------------------------------------------------------------
define('ACCOUNT_SHARING', 0); // 1=allowed 0=not allowed
If set to zero (0), only the latest login per account is valid and all others will be logged off. If set to 1, each account can be used simultaneously by multiple users using the same credentials. This functionality is especially useful for premium membership to prevent account sharing.
Do you need more info? Let me know and I will add the explanations here... Cheers, Hunzonian