MyBB Community Forums

Full Version: Add IP confirmation in admin/index.php
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2
Sorry if this is the wrong section for this.

I have written a functional PHP code which would send a mail if the IP has not been confirmed in the database or if the IP does not exist yet. ( have not checked it for sql injections and cant test the mail part out since i wrote it on xampp (no mail server :< )) But now i was wondering if somebody could help me make it work for the current 1.6 version.

How it should work is:

Go to your adminCP > You Login > Then the IP check follows > And if that is succesful it will Show the AdminCP

The code below is non MyBB related (and a really easy first look at it), and since plugins wont work for that part of the admin/index.php. I was wondering how would i merge this more or less with the admin/index.php

Things it needs to do are:

-Get the email address from the admin account that just logged in.
-Check if the IP adress this person is on is already confirmed/in the database yes/no.
-If not send mail with confirmation code etc. etc.

read for more information the suggestion for 2.0 thread:
http://community.mybb.com/thread-126209-...13114.html

<?php
include("config.php");

$ip = $_SERVER['REMOTE_ADDR'];
$email = "...";

$headers = 'From: ...' . "\r\n" .
    'Reply-To: ...' . "\r\n" .
    'X-Mailer: PHP/' . phpversion();
$cTable = "CREATE TABLE IF NOT EXISTS `adminIP` (
    `id` int(11) unsigned NOT NULL auto_increment,
    `ip` varchar(255) NOT NULL default '',
    `eip` varchar(255) NOT NULL default '',
    `conf` tinyint(1) NOT NULL default '0',
    PRIMARY KEY  (`id`)
	) ENGINE=MyISAM  DEFAULT CHARSET=utf8";

//Insert Table into database.
$cQuery = mysql_query($cTable);
if(!$cQuery){
	die ("Tabel creation unsuccesful". mysql_error());
}

//Make sure IP adress is not empty.

if($ip != ''){

	//Check if IP adress is already in the table.

	$IPcheck = mysql_query("SELECT * FROM adminIP WHERE ip='".$ip."'");
	$IProws = mysql_num_rows($IPcheck);
	$IProw = mysql_fetch_array($IPcheck);
	if ((isset($IProws)) && ($IProws == 0))
	{
		//Ip adress does not exist (what to do code below)
		$eip = sha1($ip);
		$message = "
		Hello it has come to our attention that you are trying to confirm your IP adress
		Do so by copying the code below:
		code = $eip";
		mysql_query("INSERT INTO adminIP (ip, eip, conf)
					VALUES ('".$ip."', '".$eip."',0)");
		@mail($email, 'Test IP sender', $message, $headers);
		@$code = $_POST["code"];
		//check if form is submitted. 
		if (!isset($_POST['submit'])) { 
		?>	
			<form method="post" action="<?php echo htmlentities($_SERVER['PHP_SELF']);?>">
			<strong>Code:</strong><input type="text" size="20" maxlength="100" name="code">:<br />
			<input type="submit" value="submit" name="submit">
			</form>
		<?php
		} else {
			//check if code is correct
			if($code == $eip){
				echo "The IP adress has been confirmed. <br /> Welcome!";
				$sql = "UPDATE adminIP SET conf=1 WHERE eip='".$eip."'";
				$update = mysql_query($sql);
			} else {
				echo "This code is incorrect please try again by reloading the page, 
or wait 10 seconds to let this happen automatically.";
				$page = $_SERVER['PHP_SELF']; 
				$time = "10";
				header("Refresh: $time; url=$page");	
			}
		}
		
	} else {
		//Ip adress does exist (what to do code below)
		//Check if IP adress has been confirmed.
		$eip = $IProw['eip'];
		if($IProw['conf'] == 1){
			echo "Welcome, good to see you back";
		} else {
			echo "You have not yet confirmed your IP address
confirme it now by copying the code into the textbox below.";
			$message = "
			Hello it has come to our attention that you are trying to confirm your IP adress
			Do so by copying the code below:
			code = $eip";
			@mail($email, 'Test IP sender', $message, $headers);
			@$code = $_POST["code"];
			//check if the form is submitted.
			if (!isset($_POST['submit'])) { 
			?>	
				<form method="post" action="<?php echo htmlentities($_SERVER['PHP_SELF']);?>">
				<strong>Code:</strong><input type="text" size="20" maxlength="100" name="code">:<br />
				<input type="submit" value="submit" name="submit">
				</form>
			<?php
			} else {
				echo "<br />code =".$code."<br />";
				echo "ecode =".$eip."<br />";
				//Check if the code is correct
				if($code == $eip){
					echo "The IP adress has been confirmed. <br /> Welcome!";
					$sql = "UPDATE adminIP SET conf=1 WHERE eip='".$eip."'";
					$update = mysql_query($sql);
				} else {
					echo "This code is incorrect please try again by reloading the page, 
or wait 10 seconds to let this happen automatically.";
					$page = $_SERVER['PHP_SELF']; 
					$time = "10";
					header("Refresh: $time; url=$page");
				
				}
			}
		}
	}
} else {
	echo "You dont appear to have a valid IP adress.";
}
?>

So is it possible to do something like shown above in the admin/index.php ?
And if so what improvements does it need/how would you need to implement it.
Nice bit of code you got there!
(2012-09-16, 04:53 PM)JordanMussi Wrote: [ -> ]Nice bit of code you got there!

Could probably be better, making it only safe two ip addresses for example. And those would only be tied to the admin account, so each admin account would have 1 trusted IP instead of a table of trusted IPs. Ah well i wanted to keep it not that difficult and just a simple script, only hoping somebody knows how to add this to the MyBB core Smile
One of the Development Team will be able to do it.
Well I'm not at home so I can't help you much right now. It's not hard to find where to put it though, read the admin/index.php file and a lot of the code speaks for itself (for me anyway Toungue). I'm not sure if the login is in the /modules folder, you'll have to check it out.

I'll have a look at it once I'm home. If I had time, I'd be glad to implement it for you, but my time would be more useful fixing bugs since that will be used by everybody instead of just a few people who download the patch. If I do come across some free time, I might implement it for you and the others.
(2012-09-16, 08:37 PM)KevinVR Wrote: [ -> ]Well I'm not at home so I can't help you much right now. It's not hard to find where to put it though, read the admin/index.php file and a lot of the code speaks for itself (for me anyway Toungue). I'm not sure if the login is in the /modules folder, you'll have to check it out.

I'll have a look at it once I'm home. If I had time, I'd be glad to implement it for you, but my time would be more useful fixing bugs since that will be used by everybody instead of just a few people who download the patch. If I do come across some free time, I might implement it for you and the others.

Oh its not needed right now immediately, and i would really appreciate it if it was implemented by somebody with knowledge of the MyBB (be it a developer or plugin writer etc.) software (to make it more compatible with MyBB (database functions etc) ) So if you do find some time i would greatly appreciate it if you would implement it. But i fully understand that bug fixing comes first Smile
Alright so I did make a patch like you requested. I've PMed it to you. Once you test it and feel it's bug-free (I think it is), I'll release it for others to download and use.
Its safe to release Smile

I have changed a few things to match my personal needs but the one of KevinVR is more secure and will exactly do what people need and it works perfectly Smile.

For people who are looking for information please visit KevinVRs website:

http://forums.signaware.com/thread-7.html

This is the thread that will contain more information about this patch in the future.
You should use MyBB's database object instead of mysql_query, and error suppression (@) is just lazy.
(2012-09-17, 11:38 PM)CAwesome Wrote: [ -> ]You should use MyBB's database object instead of mysql_query, and error suppression (@) is just lazy.

It was a base code CAwesome and if you would have read the code you could have clearly seen it has no tie ins with MyBB.

the two @ are indeed a lazy solution to simple problem. In this case the problem being when i wrote that "base" code it was to see if it was possible outside MyBB (me before today having no clue how the mybb database functions work etc.)

And those @ were placed on two locations.

@mail($email, 'Test IP sender', $message, $headers);
@$code = $_POST["code"];

First is in front of the mail which doesnt work on Xampp.
The second is infront of the form field retrieve code. Which otherwise produces a warning (yes i could move it below the post but i didnt want to do that. The finished code has neither of this anymore. And thanks to Kevin i have written a bug free way that does exactly what the base code did. But now works by clicking a link send to you in your mail. Then wait 5 seconds untill the page is reloaded.
Pages: 1 2