MyBB Community Forums

MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 General Support > MyBB Login Method - Check
Full Version: MyBB Login Method - Check
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

Zies

2013-04-05, 12:41 PM
Hi,

I'd just like someone to check the below MySQL query lines for using the MyBB login functions.

$query = mysql_query("SELECT * FROM mybb_users WHERE username = '".$_GET['name']."'");
if($row = mysql_fetch_array($query)){

$pass2 = md5(md5($row["salt"]).md5($_GET['pass']));
if($pass2 == $row["password"])
	echo ''.(2+$row["usergroupid"]);
else
	echo '1';
} else
echo '0';
?>

Is this the correct/up-to date method of checking username and password against the MyBB table? Thanks.

$pass2 = md5(md5($row["salt"]).md5($_GET['pass']));[/php
]

This is the line I need to make sure is correct.

Euan T

2013-04-05, 12:48 PM
Yes, that is correct. Though you should definitely sanitize the input. I'd also recommend not using the mysql_* functions if you're using this outside MyBB.

// Change these lines to suit your database connection
define('DB_HOST', 'localhost');
define('DB_NAME', '');
define('DB_USER_NAME', '');
define('DB_USER_PASS', '');

$link = null;
try {
  $link = new PDO('mysql:host='. DB_HOST .';dbname='.DB_NAME, DB_USER_NAME, DB_USER_PASS);
}
catch(PDOException $e) {
    die($e->getMessage());
}

$statement = $link->prepare("SELECT * FROM mybb_users WHERE username = :uname LIMIT 1");
$statement->bindParam(':uname', trim((string) $_GET['username']);
$statement->setFetchMode(PDO::FETCH_OBJ);
$statement->execute();

if ($result = $statement->fetch()) {
    $pass2 = md5(md5($result->salt).md5(trim((string) $_GET['pass'])));
    if($pass2 == $result->password) {
        echo (2 + $result->usergroup);
    } else {
        echo '1';
    }
} else {
   echo 0;
}

Zies

2013-04-05, 12:51 PM
Thanks for that Euen, below is the full login code. This is basically going to be used by an external program to authenticated users via MyBB, as in they'll need a forum account.


<?php


$host = "localhost";
$user = "username";
$pass = "password";
$name = "database";
$_GET['name'] = str_replace("_"," ",$_GET['name']);
if($_GET['crypt'] != KEYREMOVED){
	echo '-1';
	exit;
}
if(!@mysql_connect($host, $user, $pass))  {
	die("error connecting to mysql server - " . mysql_error());	
}
if(!@mysql_select_db($name))  {
	die("error selecting mysql database - " . mysql_error());	
}

$query = mysql_query("SELECT * FROM mybb_users WHERE username = '".$_GET['name']."'");
if($row = mysql_fetch_array($query)){

$pass2 = md5(md5($row["salt"]).md5($_GET['pass']));
if($pass2 == $row["password"])
	echo ''.(2+$row["usergroupid"]);
else
	echo '1';
} else
echo '0';
?>

Euan T

2013-04-05, 12:57 PM
You should be able to pretty much swap out your code with mine so long as the server hosting the site has PDO support. Otherwise you might need to look at the mysqli_* functions Smile

Zies

2013-04-05, 01:01 PM
(2013-04-05, 12:57 PM)Euan T Wrote: [ -> ]You should be able to pretty much swap out your code with mine so long as the server hosting the site has PDO support. Otherwise you might need to look at the mysqli_* functions Smile

Thank you very much, does it matter that you're not closing the PHP tags? I know it's not always important but just wanted to make sure.

Euan T

2013-04-05, 01:04 PM
Shouldn't cause any issue unless you're mixing PHP and HTML in the same file Smile
MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 General Support > MyBB Login Method - Check