<?php
error_reporting(0);
// Database settings
$host = 'localhost';
$user = '';
$password = '';
$database = '';
$conn = mysql_connect($host,$user,$password) or die ('Error connecting to MySQL database.');
$conn = mysql_select_db($database) or die ('Error selecting database.');
$hwid = mysql_real_escape_string($_GET['hwid']);
if ($hwid == '') {$hwid='?';}
$author = mysql_real_escape_string($_GET['author']);
$username = mysql_real_escape_string($_GET['username']);
$password = mysql_real_escape_string($_GET['password']);
//get the user info
$query = "SELECT * FROM mybb_users WHERE LOWER(username) = '{$username}';";
//make it into a mysql_assoc_array
$result= mysql_query($query);
$resultarr = mysql_fetch_assoc($result);
$salt = $resultarr['salt'];
$hash = md5(md5($password.$salt).$salt);
//check your hash against the one in the table
if ($resultarr['hash'] == $hash)
{
// Check membername and HWID
$query = "SELECT member, hwid FROM loginlist WHERE member = '{$username}'";
$result = mysql_query($query);
if ($result && mysql_num_rows($result)) {
$row = mysql_fetch_assoc($result);
if ($row['hwid']!=$hwid) {
echo "INVALID LOGIN1";
exit;
}
}
// Update loginlist
$ip = $_SERVER['REMOTE_ADDR'];
$lastday = $firstday = time();
$cntr = 1;
$author = $author;
$query = "SELECT member, ip, author, cntr FROM loginlist WHERE member = '$username' AND ip = '$ip'";
$result = mysql_query($query);
if ($result && mysql_num_rows($result)) {
$row = mysql_fetch_array($result);
$row[cntr] += 1;
$lastday = time();
$row[author] = $author;
$query = "UPDATE loginlist SET lastday = '$lastday', cntr = '$row[cntr], author = '$row[author]' WHERE member = '$username' AND ip = '$ip'";
$result=mysql_query($query);
} else {
$query="INSERT INTO loginlist (member, hwid, ip, lastday, firstday, cntr, author, block) VALUES ('$username', '$hwid', '$ip', '$lastday', '$firstday', '$cntr', '$author', '0')";
$result=mysql_query($query);
}
// Check if IP address is blocked
$query = "SELECT * FROM loginlist WHERE ip = '{$ip}' LIMIT 1;";
$result = mysql_query($query);
if ($result) {
$row = mysql_fetch_assoc($result);
if ($row['block'] == 1) {
echo "INVALID LOGIN2";
exit;
}
}
echo "VALID LOGIN";
} else {
echo "INVALID LOGIN 3";
}
?>
<?php
error_reporting(0);
// Database settings
$host = 'localhost';
$user = '';
$password = '';
$database = '';
$conn = mysql_connect($host,$user,$password) or die ('Error connecting to MySQL database.');
$conn = mysql_select_db($database) or die ('Error selecting database.');
$hwid = mysql_real_escape_string($_GET['hwid']);
if ($hwid == '') {$hwid='?';}
$author = mysql_real_escape_string($_GET['author']);
$username = mysql_real_escape_string($_GET['username']);
$password = mysql_real_escape_string($_GET['password']);
//get the user info
$query = "SELECT * FROM mybb_users WHERE LOWER(username) = '{$username}';";
//make it into a mysql_assoc_array
$result= mysql_query($query);
$resultarr = mysql_fetch_assoc($result);
$salt = $resultarr['salt'];
$hash = md5(md5($password.$salt).$salt);
//check your hash against the one in the table
if ($resultarr['password'] == $hash)
{
// Check membername and HWID
$query = "SELECT member, hwid FROM loginlist WHERE member = '{$username}'";
$result = mysql_query($query);
if ($result && mysql_num_rows($result)) {
$row = mysql_fetch_assoc($result);
if ($row['hwid']!=$hwid) {
echo "INVALID LOGIN1";
exit;
}
}
// Update loginlist
$ip = $_SERVER['REMOTE_ADDR'];
$lastday = $firstday = time();
$cntr = 1;
$author = $author;
$query = "SELECT member, ip, author, cntr FROM loginlist WHERE member = '{$username}' AND ip = '{$ip'}";
$result = mysql_query($query);
if ($result && mysql_num_rows($result)) {
$row = mysql_fetch_assoc($result);
$row['cntr'] += 1;
$lastday = time();
$row['author'] = $author;
$query = "UPDATE loginlist SET lastday = '{$lastday}', cntr = '{$row['cntr'],} author = '{$row['author']}' WHERE member = '{$username}e AND ip = '{$ip}'";
$result=mysql_query($query);
} else {
$query="INSERT INTO loginlist (member, hwid, ip, lastday, firstday, cntr, author, block) VALUES ('$username', '$hwid', '$ip', '$lastday', '$firstday', '$cntr', '$author', '0')";
$result=mysql_query($query);
}
// Check if IP address is blocked
$query = "SELECT * FROM loginlist WHERE ip = '{$ip}' LIMIT 1;";
$result = mysql_query($query);
if ($result) {
$row = mysql_fetch_assoc($result);
if ($row['block'] == 1) {
echo "INVALID LOGIN2";
exit;
}
}
echo "VALID LOGIN";
} else {
echo "INVALID LOGIN 3";
}
?>
Try that
Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING, expecting '}
line 49
<?php
error_reporting(0);
// Database settings
$host = 'localhost';
$user = '';
$password = '';
$database = '';
$conn = mysql_connect($host,$user,$password) or die ('Error connecting to MySQL database.');
$conn = mysql_select_db($database) or die ('Error selecting database.');
$hwid = mysql_real_escape_string($_GET['hwid']);
if ($hwid == '') {$hwid='?';}
$author = mysql_real_escape_string($_GET['author']);
$username = mysql_real_escape_string($_GET['username']);
$password = mysql_real_escape_string($_GET['password']);
//get the user info
$query = "SELECT * FROM mybb_users WHERE LOWER(username) = '{$username}';";
//make it into a mysql_assoc_array
$result= mysql_query($query);
$resultarr = mysql_fetch_assoc($result);
$salt = $resultarr['salt'];
$hash = md5(md5($password.$salt).$salt);
//check your hash against the one in the table
if ($resultarr['password'] == $hash)
{
// Check membername and HWID
$query = "SELECT member, hwid FROM loginlist WHERE member = '{$username}'";
$result = mysql_query($query);
if ($result && mysql_num_rows($result)) {
$row = mysql_fetch_assoc($result);
if ($row['hwid']!=$hwid) {
echo "INVALID LOGIN1";
exit;
}
}
// Update loginlist
$ip = $_SERVER['REMOTE_ADDR'];
$lastday = $firstday = time();
$cntr = 1;
$author = $author;
$query = "SELECT member, ip, author, cntr FROM loginlist WHERE member = '{$username}' AND ip = '{$ip}'";
$result = mysql_query($query);
if ($result && mysql_num_rows($result)) {
$row = mysql_fetch_assoc($result);
$row['cntr'] += 1;
$lastday = time();
$row['author'] = $author;
$query = "UPDATE loginlist SET lastday = '{$lastday}', cntr = '{$row['cntr']}', author = '{$row['author']}' WHERE member = '{$username}e AND ip = '{$ip}'";
$result=mysql_query($query);
} else {
$query="INSERT INTO loginlist (member, hwid, ip, lastday, firstday, cntr, author, block) VALUES ('$username', '$hwid', '$ip', '$lastday', '$firstday', '$cntr', '$author', '0')";
$result=mysql_query($query);
}
// Check if IP address is blocked
$query = "SELECT * FROM loginlist WHERE ip = '{$ip}' LIMIT 1;";
$result = mysql_query($query);
if ($result) {
$row = mysql_fetch_assoc($result);
if ($row['block'] == 1) {
echo "INVALID LOGIN2";
exit;
}
}
echo "VALID LOGIN";
} else {
echo "INVALID LOGIN 3";
}
?>
Oops, fixed
Then your password is wrong
you could print_r the first $resultarr, but I'm tired and going to bed (it's 1am
)
password is correct , I am very thankfull to you for your effort and time, maybee we fix it tomorrow or so
+
MyBB's password is stored as $hash = md5(md5($salt).md5($password));
You are using $hash = md5(md5($password.$salt).$salt);
This is deduced from the actual code MyBB uses (at least, the copy on my hard drive). Having different hashing code causes MyBB's hash of the password to not match your hash of the password, causing a failure to match.
MyBB also does not mysql_real_escape_string the password because the raw password never gets sent to the database. Escaping the password could drastically change the MD5, failing to match (because Hello'world is not the same as Hello\'world).
Also, finally, sending the password in the URL via GET is a terrible idea because any Joe could just check the history and get the user's username and password.
Ok try this:
<?php
error_reporting(0);
// Database settings
$host = 'localhost';
$user = '';
$password = '';
$database = '';
$conn = mysql_connect($host,$user,$password) or die ('Error connecting to MySQL database.');
$conn = mysql_select_db($database) or die ('Error selecting database.');
$hwid = mysql_real_escape_string($_GET['hwid']);
if ($hwid == '') {$hwid='?';}
$author = mysql_real_escape_string($_GET['author']);
$username = mysql_real_escape_string($_GET['username']);
$password = $_GET['password']);
//get the user info
$query = "SELECT * FROM mybb_users WHERE LOWER(username) = '{$username}';";
//make it into a mysql_assoc_array
$result= mysql_query($query);
$resultarr = mysql_fetch_assoc($result);
$salt = $resultarr['salt'];
$hash = md5(md5($salt).md5($password));
//check your hash against the one in the table
if ($resultarr['password'] == $hash)
{
// Check membername and HWID
$query = "SELECT member, hwid FROM loginlist WHERE member = '{$username}'";
$result = mysql_query($query);
if ($result && mysql_num_rows($result)) {
$row = mysql_fetch_assoc($result);
if ($row['hwid']!=$hwid) {
echo "INVALID LOGIN1";
exit;
}
}
// Update loginlist
$ip = $_SERVER['REMOTE_ADDR'];
$lastday = $firstday = time();
$cntr = 1;
$author = $author;
$query = "SELECT member, ip, author, cntr FROM loginlist WHERE member = '{$username}' AND ip = '{$ip}'";
$result = mysql_query($query);
if ($result && mysql_num_rows($result)) {
$row = mysql_fetch_assoc($result);
$row['cntr'] += 1;
$lastday = time();
$row['author'] = $author;
$query = "UPDATE loginlist SET lastday = '{$lastday}', cntr = '{$row['cntr']}', author = '{$row['author']}' WHERE member = '{$username}e AND ip = '{$ip}'";
$result=mysql_query($query);
} else {
$query="INSERT INTO loginlist (member, hwid, ip, lastday, firstday, cntr, author, block) VALUES ('$username', '$hwid', '$ip', '$lastday', '$firstday', '$cntr', '$author', '0')";
$result=mysql_query($query);
}
// Check if IP address is blocked
$query = "SELECT * FROM loginlist WHERE ip = '{$ip}' LIMIT 1;";
$result = mysql_query($query);
if ($result) {
$row = mysql_fetch_assoc($result);
if ($row['block'] == 1) {
echo "INVALID LOGIN2";
exit;
}
}
echo "VALID LOGIN";
} else {
echo "INVALID LOGIN 3";
}
?>
Try that
Parse error: syntax error, unexpected ')'