http php help - I think I am close

Hello. I am working on a registration system for my joomla web site. I actually think I am pretty close, and considering I am a newbie, that isn't too bad, right At any rate, I first posted my questions and then posted what I have, if anyone has the time and the patients, I would be very appreciative of any guidance. Of course, by posting this and fixing it, I am hoping others will benefit from the code as I will post the final product. I know there are a lot of joomla sites out there.

I think the script and php are pretty solid, here is what I don't know what to do:

1) In the php, I don't know how to querry the table jos_users to see if the user already exists. If so, I want to send a message back into second life stating that (you will see an example message in the script). If the user doesn't exist, I want to go ahead and complete the registration.

2) I don't know how to work with http response, so I need to add the proper code in the php and in the script. The two choices are in the script - 1) they are already registered and the object tells them that or 2) give the registration information.

3) If someone could double check the script to make sure it is clean.

4) if there are any security measures I should add, that would be cool.

Script (with personal information removed)




[begin script code]
key http_request_id;

default

{

state_entry()

{
string name;
string uuid;
string eemail;
string pass;
string born;
string payment;

name = llRequestAgentData( Avatar, DATA_NAME);
uuid = llDetectedKey(0);
integer randChan = (integer)(llFrand(831)+123);
eemail = llDetectedKey(0)+"@lsl.secondlife.com";
pass = (string)randChan;
born = llRequestAgentData( llDetectedKey(0), DATA_BORN);
payment = llRequestAgentData( llDetectedKey(0), DATA_PAYINFO);

llInstantMessage(llDetectedKey(0), pass)
{
http_request_id = llHTTPRequest( "http://url.com/register.php", [HTTP_METHOD,"POST",HTTP_MIMETYPE,"application/x-www-form-urlencoded"], "name=" + name + "&pass=" + pass + "&eemail=" + eemail + "&uuid=" + uuid + "&born=" + born + "&payment=" + payment);
}
http_response(key id, integer status, list meta, string body) {
if ( body == 0 )
llInstantMessage(llDetectedKey(0), "You are already registered at url. If you feel this is an error, or have forgotten your login information, please contact us at [email]email@url.com[/email].";
else
llInstantMessage(llDetectedKey(0), "Your Login name is your Second Life Name, " + name + ". Your password is in your 'Local Chat.' Simply press control-h or open your 'Local Chat' and log in to url";

}

}
[/end script code]




[begin php]
<?php
defined( '_JEXEC' ) or die( 'Restricted access' );

$hostname='xxxxxxxxx';
$username='xxxxxx';
$password='xxxxxx';
$dbname='xxxxxxxx';

mysql_connect($hostname,$username, $password) OR DIE ('Unable to connect to database! Please try again later.');
mysql_select_db($dbname);

$headers = apache_request_headers();
$objectName = $headers["X-SecondLife-Object-Name"];
$objectKey = $headers["X-SecondLife-Object-Key"];
$ownerKey = $headers["X-SecondLife-Owner-Key"];
$ownerName = $headers["X-SecondLife-Owner-Name"];
$region = $headers["X-SecondLife-Region"];
$slVersion = $headers["User-Agent "];
$simPosition = $headers["X-SecondLife-Local-Position"];

$user = $_POST["user"]
$uuid = $_POST["uuid"]
$pass = $_POST["pass"]
$born = $_POST["born"]
$payment = $_POST["payment"]
$eemail = $_POST["eemail"]

$salt = pass(16);
$crypt = md5($newpass.$salt);
$newpass = $crypt.':'.$salt;

$query =

$query = "INSERT INTO `table1` (`name`, `username`, `password`, `usertype`, 'gid', 'params') VALUES ('".$user."', '".$user."', '".$newpass."','Registered','18','language=en-GB')";

$lastid = mysql_insert_id;

$query = "INSERT INTO `table2` (`id`, `user_id`, `cb_uuid`, `cb_lslemail`, 'cb_born', 'cb_paymentinfo') VALUES ('".$lastid."', '".$lastid."', '".$uuid."','".$eemail."','".$born."','".$payment."')";

$query = "INSERT INTO `table3` (`value`, `name`) VALUES ('".$lastid."', '".$name."')";

$lastid2 = mysql_insert_id;

$query = "INSERT INTO `table4` (`group_id`, `aro_id`) VALUES ('18', '".$lastid2."')";

$query = "INSERT INTO `table4` (`uuid`, `name`,'objectkey','objectregion') VALUES ('".$uuid."', '".$name."', '".$objectKey."', '".$region."')";

mysql_query($query) or die(mysql_error());
mysql_close();

?>
[/end php]

Thanks again in advance.

Web

LSL

1.) The llDetected*() functions only work from touch and collision events, so you're not going to get anything useful from them in state_entry.

2.) You're probably going to want to use llEscapeURL() on each parameter value in your POST data. If any of them had characters that would normally be used to delimit different parameters, you might be in trouble. PROBABLY the data you are using in this case is safe, but better safe than sorry.

3.) You'll probably want to test the body of the response against something other than zero. You'll want to 'echo' something from your PHP script and test for it in your LSL code.

4.) The 'http_response' bit needs to be made into its own event handler, and you'll have to remember in a global variable or variables somehow the key, name, etc. from the code where you sent the HTTP request. It is generally good practice to test the return value of llHTTPRequest() against the request ID that is the first parameter to the 'http_response' handler.

PHP

1.) No idea what '_JEXEC' is, so I can't help you there.

2.) You've got syntax errors in several places. For example, where you are setting $user, $uuid, etc. from the HTTP parameters, there are no semicolons between the assignments.

3.) You'll want to SELECT first to see if the user is already in the system. Search for a row with the same primary key as the one you are about to INSERT (probably name or UUID, but I have no idea; you'll have to review your DB schema). Can't say much more about the SQL since I have no idea what your tables look like or anything.

4.) You'll want to 'echo' a duplicate record message on failure or whatever data you want to send the user on success so it gets to the response body.

For the detected, you are right, I need to switch it to touch, since I will have a terminal like object that persons will touch to register. As far as the sql and tables, those should be pretty clean as they are the tables created by joomla. Jexec, is joomla's internal code/security that prevents the page from being called directly. I am going to have to play around with including that line since in essence I am calling the page directly from SL, so it might not work, but that is what the Jexec is for, FYI. Thanks again, I will implement your ideas and post how it goes.

Web

One thing to be aware of... the email address format "<uuid>@lsl.secondlife.com" can only be used to email objects, not avatars. It's annoying for legitimate stuff like automated registration, but I guess it helps prevent IM spam.

We have to deal with something very similar in the Sloodle project. If a teacher has activated 'auto-registration', then the system will automatically create a new user account (in Moodle or whatever LMS) for the avatar. No email address is specified, and the profile is flagged as needing to be edited the first time the user logs-in through their web-browser (if ever). The initial login information for the website is emailed to whatever object did the registration, and it then IM's the details to the user. It's a little slow (takes up to a couple of minutes for the IM to come through), but people using auto-reg in this case generally won't need web-browser access right away anyway.

I didn't realize that. I can turn off email as a requirement, though if Linden Labs is reading this, please create a login API like gmail or openid so we can avoid all of these issues. At any rate, I will just handle it that way, but it would be nice to be able to email residents in-world who voluntarily sign up for your site.