MyBB Community Forums

MyBB Community Forums > Community > General Discussion > Web Development and Administration > [SOLVED] Using the login Details via App
Full Version: [SOLVED] Using the login Details via App
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2 3 4 5 6 7

deve48

2012-01-25, 12:36 AM
 <?php

error_reporting(0);

// Database settings
$host      = 'localhost';     
$user      = '';      
$password  = '';        
$database  = '';        

$conn = mysql_connect($host,$user,$password) or die ('Error connecting to MySQL database.');
$conn = mysql_select_db($database) or die ('Error selecting database.');

$hwid = mysql_real_escape_string($_GET['hwid']);
if ($hwid == '') {$hwid='?';}
$author = mysql_real_escape_string($_GET['author']);
$username = mysql_real_escape_string($_GET['username']);
$password = mysql_real_escape_string($_GET['password']);
//get the user info
$query = "SELECT * FROM mybb_users WHERE LOWER(username) = '{$username}';"; 
//make it into a mysql_assoc_array
$result= mysql_query($query);
$resultarr = mysql_fetch_assoc($result);
$salt = $resultarr['salt'];
$hash = md5(md5($password.$salt).$salt);

//check your hash against the one in the table
if ($resultarr['hash'] == $hash)
{
    // Check membername and HWID 
    $query = "SELECT member, hwid FROM loginlist WHERE member = '{$username}'"; 
    $result = mysql_query($query);
if ($result && mysql_num_rows($result)) {
$row = mysql_fetch_assoc($result);
if ($row['hwid']!=$hwid) {
echo "INVALID LOGIN1";
exit;
        }
    }
    // Update loginlist
    $ip = $_SERVER['REMOTE_ADDR'];
    $lastday = $firstday = time();
    $cntr = 1;
   $author = $author;
    $query = "SELECT member, ip, author, cntr FROM loginlist WHERE member = '$username' AND ip = '$ip'";
    $result = mysql_query($query);
    if ($result && mysql_num_rows($result)) {
        $row = mysql_fetch_array($result);
        $row[cntr] += 1;
        $lastday = time();
        $row[author] = $author;
        $query = "UPDATE loginlist SET lastday = '$lastday', cntr = '$row[cntr], author = '$row[author]' WHERE member = '$username' AND ip = '$ip'";
        $result=mysql_query($query);
    } else {
        $query="INSERT INTO loginlist (member, hwid, ip, lastday, firstday, cntr, author, block) VALUES ('$username', '$hwid', '$ip', '$lastday', '$firstday', '$cntr', '$author', '0')";
        $result=mysql_query($query);            
    }    
     // Check if IP address is blocked
    $query = "SELECT * FROM loginlist WHERE ip = '{$ip}' LIMIT 1;";
    $result = mysql_query($query);
    if ($result) {
        $row = mysql_fetch_assoc($result);
        if ($row['block'] == 1) {
            echo "INVALID LOGIN2";    
            exit;
        } 
    }
    echo "VALID LOGIN";
} else {
echo "INVALID LOGIN 3";
} 
?>

Tom K.

2012-01-25, 12:42 AM
<?php

error_reporting(0);

// Database settings
$host      = 'localhost';     
$user      = '';      
$password  = '';        
$database  = '';        

$conn = mysql_connect($host,$user,$password) or die ('Error connecting to MySQL database.');
$conn = mysql_select_db($database) or die ('Error selecting database.');

$hwid = mysql_real_escape_string($_GET['hwid']);
if ($hwid == '') {$hwid='?';}
$author = mysql_real_escape_string($_GET['author']);
$username = mysql_real_escape_string($_GET['username']);
$password = mysql_real_escape_string($_GET['password']);
//get the user info
$query = "SELECT * FROM mybb_users WHERE LOWER(username) = '{$username}';"; 
//make it into a mysql_assoc_array
$result= mysql_query($query);
$resultarr = mysql_fetch_assoc($result);
$salt = $resultarr['salt'];
$hash = md5(md5($password.$salt).$salt);

//check your hash against the one in the table
if ($resultarr['password'] == $hash)
{
    // Check membername and HWID 
    $query = "SELECT member, hwid FROM loginlist WHERE member = '{$username}'"; 
    $result = mysql_query($query);
if ($result && mysql_num_rows($result)) {
$row = mysql_fetch_assoc($result);
if ($row['hwid']!=$hwid) {
echo "INVALID LOGIN1";
exit;
        }
    }
    // Update loginlist
    $ip = $_SERVER['REMOTE_ADDR'];
    $lastday = $firstday = time();
    $cntr = 1;
   $author = $author;
    $query = "SELECT member, ip, author, cntr FROM loginlist WHERE member = '{$username}' AND ip = '{$ip'}";
    $result = mysql_query($query);
    if ($result && mysql_num_rows($result)) {
        $row = mysql_fetch_assoc($result);
        $row['cntr'] += 1;
        $lastday = time();
        $row['author'] = $author;
        $query = "UPDATE loginlist SET lastday = '{$lastday}', cntr = '{$row['cntr'],} author = '{$row['author']}' WHERE member = '{$username}e AND ip = '{$ip}'";
        $result=mysql_query($query);
    } else {
        $query="INSERT INTO loginlist (member, hwid, ip, lastday, firstday, cntr, author, block) VALUES ('$username', '$hwid', '$ip', '$lastday', '$firstday', '$cntr', '$author', '0')";
        $result=mysql_query($query);            
    }    
     // Check if IP address is blocked
    $query = "SELECT * FROM loginlist WHERE ip = '{$ip}' LIMIT 1;";
    $result = mysql_query($query);
    if ($result) {
        $row = mysql_fetch_assoc($result);
        if ($row['block'] == 1) {
            echo "INVALID LOGIN2";    
            exit;
        } 
    }
    echo "VALID LOGIN";
} else {
echo "INVALID LOGIN 3";
} 
?>


Try that Wink

deve48

2012-01-25, 12:46 AM
Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING, expecting '}

line 49

Tom K.

2012-01-25, 12:48 AM

<?php

error_reporting(0);

// Database settings
$host      = 'localhost';     
$user      = '';      
$password  = '';        
$database  = '';        

$conn = mysql_connect($host,$user,$password) or die ('Error connecting to MySQL database.');
$conn = mysql_select_db($database) or die ('Error selecting database.');

$hwid = mysql_real_escape_string($_GET['hwid']);
if ($hwid == '') {$hwid='?';}
$author = mysql_real_escape_string($_GET['author']);
$username = mysql_real_escape_string($_GET['username']);
$password = mysql_real_escape_string($_GET['password']);
//get the user info
$query = "SELECT * FROM mybb_users WHERE LOWER(username) = '{$username}';"; 
//make it into a mysql_assoc_array
$result= mysql_query($query);
$resultarr = mysql_fetch_assoc($result);
$salt = $resultarr['salt'];
$hash = md5(md5($password.$salt).$salt);

//check your hash against the one in the table
if ($resultarr['password'] == $hash)
{
    // Check membername and HWID 
    $query = "SELECT member, hwid FROM loginlist WHERE member = '{$username}'"; 
    $result = mysql_query($query);
if ($result && mysql_num_rows($result)) {
$row = mysql_fetch_assoc($result);
if ($row['hwid']!=$hwid) {
echo "INVALID LOGIN1";
exit;
        }
    }
    // Update loginlist
    $ip = $_SERVER['REMOTE_ADDR'];
    $lastday = $firstday = time();
    $cntr = 1;
   $author = $author;
    $query = "SELECT member, ip, author, cntr FROM loginlist WHERE member = '{$username}' AND ip = '{$ip}'";
    $result = mysql_query($query);
    if ($result && mysql_num_rows($result)) {
        $row = mysql_fetch_assoc($result);
        $row['cntr'] += 1;
        $lastday = time();
        $row['author'] = $author;
        $query = "UPDATE loginlist SET lastday = '{$lastday}', cntr = '{$row['cntr']}', author = '{$row['author']}' WHERE member = '{$username}e AND ip = '{$ip}'";
        $result=mysql_query($query);
    } else {
        $query="INSERT INTO loginlist (member, hwid, ip, lastday, firstday, cntr, author, block) VALUES ('$username', '$hwid', '$ip', '$lastday', '$firstday', '$cntr', '$author', '0')";
        $result=mysql_query($query);            
    }    
     // Check if IP address is blocked
    $query = "SELECT * FROM loginlist WHERE ip = '{$ip}' LIMIT 1;";
    $result = mysql_query($query);
    if ($result) {
        $row = mysql_fetch_assoc($result);
        if ($row['block'] == 1) {
            echo "INVALID LOGIN2";    
            exit;
        } 
    }
    echo "VALID LOGIN";
} else {
echo "INVALID LOGIN 3";
} 
?>


Oops, fixed Smile

deve48

2012-01-25, 12:50 AM
INVALID LOGIN 3

Tom K.

2012-01-25, 12:53 AM
Then your password is wrong Confused you could print_r the first $resultarr, but I'm tired and going to bed (it's 1am Sad)

deve48

2012-01-25, 12:54 AM
password is correct , I am very thankfull to you for your effort and time, maybee we fix it tomorrow or so Smile +

Firestryke31

2012-01-25, 03:26 AM
MyBB's password is stored as $hash = md5(md5($salt).md5($password));
You are using $hash = md5(md5($password.$salt).$salt);

This is deduced from the actual code MyBB uses (at least, the copy on my hard drive). Having different hashing code causes MyBB's hash of the password to not match your hash of the password, causing a failure to match.

MyBB also does not mysql_real_escape_string the password because the raw password never gets sent to the database. Escaping the password could drastically change the MD5, failing to match (because Hello'world is not the same as Hello\'world).

Also, finally, sending the password in the URL via GET is a terrible idea because any Joe could just check the history and get the user's username and password.

Tom K.

2012-01-25, 08:42 AM
Ok try this:
<?php

error_reporting(0);

// Database settings
$host      = 'localhost';     
$user      = '';      
$password  = '';        
$database  = '';        

$conn = mysql_connect($host,$user,$password) or die ('Error connecting to MySQL database.');
$conn = mysql_select_db($database) or die ('Error selecting database.');

$hwid = mysql_real_escape_string($_GET['hwid']);
if ($hwid == '') {$hwid='?';}
$author = mysql_real_escape_string($_GET['author']);
$username = mysql_real_escape_string($_GET['username']);
$password = $_GET['password']);
//get the user info
$query = "SELECT * FROM mybb_users WHERE LOWER(username) = '{$username}';"; 
//make it into a mysql_assoc_array
$result= mysql_query($query);
$resultarr = mysql_fetch_assoc($result);
$salt = $resultarr['salt'];
$hash = md5(md5($salt).md5($password));

//check your hash against the one in the table
if ($resultarr['password'] == $hash)
{
    // Check membername and HWID 
    $query = "SELECT member, hwid FROM loginlist WHERE member = '{$username}'"; 
    $result = mysql_query($query);
if ($result && mysql_num_rows($result)) {
$row = mysql_fetch_assoc($result);
if ($row['hwid']!=$hwid) {
echo "INVALID LOGIN1";
exit;
        }
    }
    // Update loginlist
    $ip = $_SERVER['REMOTE_ADDR'];
    $lastday = $firstday = time();
    $cntr = 1;
   $author = $author;
    $query = "SELECT member, ip, author, cntr FROM loginlist WHERE member = '{$username}' AND ip = '{$ip}'";
    $result = mysql_query($query);
    if ($result && mysql_num_rows($result)) {
        $row = mysql_fetch_assoc($result);
        $row['cntr'] += 1;
        $lastday = time();
        $row['author'] = $author;
        $query = "UPDATE loginlist SET lastday = '{$lastday}', cntr = '{$row['cntr']}', author = '{$row['author']}' WHERE member = '{$username}e AND ip = '{$ip}'";
        $result=mysql_query($query);
    } else {
        $query="INSERT INTO loginlist (member, hwid, ip, lastday, firstday, cntr, author, block) VALUES ('$username', '$hwid', '$ip', '$lastday', '$firstday', '$cntr', '$author', '0')";
        $result=mysql_query($query);            
    }    
     // Check if IP address is blocked
    $query = "SELECT * FROM loginlist WHERE ip = '{$ip}' LIMIT 1;";
    $result = mysql_query($query);
    if ($result) {
        $row = mysql_fetch_assoc($result);
        if ($row['block'] == 1) {
            echo "INVALID LOGIN2";    
            exit;
        } 
    }
    echo "VALID LOGIN";
} else {
echo "INVALID LOGIN 3";
} 
?>

Try that Smile

deve48

2012-01-25, 10:11 AM
Parse error: syntax error, unexpected ')'
Pages: 1 2 3 4 5 6 7
MyBB Community Forums > Community > General Discussion > Web Development and Administration > [SOLVED] Using the login Details via App