MyBB Community Forums

MyBB Community Forums > 1.8 Support > General Support > Access MyBB database user table from my own php script
Full Version: Access MyBB database user table from my own php script
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

rahat

2015-09-02, 01:20 PM
Hi,

Installed MyBB 1.8.5 in "domain/forum/" directory.
I also have a "domain/server/" directory that contain some scripts.
I have a software that communicates with "domain/server/login.php" and if login credentials are accepted, it then returns some data to the software.

I been using a separate user table for login authentication, but after installing MyBB, I wanted to use same username/password of forum for the program, so:

$data = json_decode($_POST[user_data]);
$username = $data ->{'username'};
$password = $data ->{'password'};//md5 encoded password

$query = "SELECT username, salt, password, acc_t FROM MyBBprefix_users WHERE username = '$username';" ;
/*I went cheeky and added some additional columns into MyBB user table too, acc_t is one of them and I hope it wont cause me troubles in the long run*/

$r = mysqli_query($db_connection, $query);

if($r ==  TRUE){
	$user = mysqli_fetch_assoc($r);
	$encrypted_password = md5(md5($user['salt']). $password); //$password is MD5 encoded
	if(($user["password"] == $encrypted_password) && ($user['username'] == $username){
		$data = "";//some data according to acc_t 
		
	} else {
		$data = "";//some data for guest
	}
}

echo json_encode($data);
mysqli_free_result($r);
mysqli_close($db_connection);

Thing is, this script works fine. But I am not good at php and I fear sql injections and what not.
So, I was thinking that MyBB's built-in login routine will be more safer then I could ever write and if I somehow manage to use it, it will save me lots of headaches to validate user input. 


I want to use MyBB's login function from within "domain/server/login.php". If login is successful, want to receive SELECT * FROM MyBBprefix_users WHERE username == $data ->{'username'};

Hope i made sense.

Thanks in advance.

avril

2015-09-02, 02:03 PM
why not let MyBB to handle its stuff like login, verification, database and everything else that belongs to it.

you can access it and or interact with it in your custom scripts like this :

<?php
// this is custom script 

// will connect to our MyBB
define("IN_MYBB", 1);
define('THIS_SCRIPT', 'mytestscript.php');
require_once "../forum/global.php";

// will even implement our own hooks for mybb that can be used by plugins
$plugins->run_hooks("mycustomscript_begin_stuff");

// and do our stuff
// for example lets see if user is loged in
if ($mybb->user['uid'] > 0) {
    // if he are, lets see his nick name    
    echo "loged in user name : ".$mybb->user['username'];
    // want to see whats more out there about this user ? try to   die(print_r($mybb->user));
} else {
    // his a guest we may redirect him to login screen
    redirect ($mybb->settings['bburl']."/member.php?action=login");
}

// and again how about a custom hook
$plugins->run_hooks("mycustomscript_end_stuff");

you can also use here all MyBB objects, functions and stuff
so answering your post title "how to access MyBB database user table from my own php script" you could do

	$query = $db->query('
			SELECT * FROM '.TABLE_PREFIX.'users
			WHERE uid = '.intval($mybb->user["uid"]).'
		');

rahat

2015-09-02, 06:28 PM
Thanks avril for your answer. I used following statement:


$username = "testuser"; //test account
   $query = $db->query('
            SELECT * FROM '.TABLE_PREFIX.'users
            WHERE username = '.$db->escape_string($username).'
        ');

and received following error:

Quote:MyBB has experienced an internal SQL error and cannot continue.

SQL Error:
1054 - Unknown column 'testuser' in 'where clause'
Query:
SELECT * FROM bb_prefix_users WHERE username = testuser


Any ideas?

Ad Bakker

2015-09-02, 06:57 PM
$username must be n double quotes I think, and I don't believe it is necessary to escape it

$username = "testuser"; //test account
   $query = $db->query('
            SELECT * FROM '.TABLE_PREFIX.'users
            WHERE username = "'.$username.'"
            ');

rahat

2015-09-03, 08:06 AM
Thank you Ad Bakker (and avril), 
I successfully retrieved the data from user table Smile 

Just last thing I want to confirm is: $username and $password are received from user, is it wise to use $username directly in query without sanitizing?

   $query = $db->query('
            SELECT * FROM '.TABLE_PREFIX.'users
            WHERE username = "'.$username.'"
            LIMIT 1');

or 

   $query = $db->query('
            SELECT * FROM '.TABLE_PREFIX.'users
            WHERE username = "'.$db->escape_string($username).'"
            LIMIT 1');


Yes, I've seen you saying that its not necessary to escape it... just want to make sure, call me paranoid Toungue

avril

2015-09-03, 12:26 PM
(2015-09-03, 08:06 AM)rahat Wrote: [ -> ]Yes, I've seen you saying that its not necessary to escape it... just want to make sure, call me paranoid Toungue
Its a good habit to make sure that something is what it should be instead of assuming, especially when it comes to security.
I could even say - its a must which should be a habit.

rahat

2015-09-03, 01:00 PM
Thnx guys, did I mention MyBB community is awesome?
Friendly community.
Quick response.
To the point guidance.
what else one can ask?
MyBB Community Forums > 1.8 Support > General Support > Access MyBB database user table from my own php script