2015-09-02, 01:20 PM
Hi,
Installed MyBB 1.8.5 in "domain/forum/" directory.
I also have a "domain/server/" directory that contain some scripts.
I have a software that communicates with "domain/server/login.php" and if login credentials are accepted, it then returns some data to the software.
I been using a separate user table for login authentication, but after installing MyBB, I wanted to use same username/password of forum for the program, so:
Thing is, this script works fine. But I am not good at php and I fear sql injections and what not.
So, I was thinking that MyBB's built-in login routine will be more safer then I could ever write and if I somehow manage to use it, it will save me lots of headaches to validate user input.
I want to use MyBB's login function from within "domain/server/login.php". If login is successful, want to receive SELECT * FROM MyBBprefix_users WHERE username == $data ->{'username'};
Hope i made sense.
Thanks in advance.
Installed MyBB 1.8.5 in "domain/forum/" directory.
I also have a "domain/server/" directory that contain some scripts.
I have a software that communicates with "domain/server/login.php" and if login credentials are accepted, it then returns some data to the software.
I been using a separate user table for login authentication, but after installing MyBB, I wanted to use same username/password of forum for the program, so:
$data = json_decode($_POST[user_data]);
$username = $data ->{'username'};
$password = $data ->{'password'};//md5 encoded password
$query = "SELECT username, salt, password, acc_t FROM MyBBprefix_users WHERE username = '$username';" ;
/*I went cheeky and added some additional columns into MyBB user table too, acc_t is one of them and I hope it wont cause me troubles in the long run*/
$r = mysqli_query($db_connection, $query);
if($r == TRUE){
$user = mysqli_fetch_assoc($r);
$encrypted_password = md5(md5($user['salt']). $password); //$password is MD5 encoded
if(($user["password"] == $encrypted_password) && ($user['username'] == $username){
$data = "";//some data according to acc_t
} else {
$data = "";//some data for guest
}
}
echo json_encode($data);
mysqli_free_result($r);
mysqli_close($db_connection);
Thing is, this script works fine. But I am not good at php and I fear sql injections and what not.
So, I was thinking that MyBB's built-in login routine will be more safer then I could ever write and if I somehow manage to use it, it will save me lots of headaches to validate user input.
I want to use MyBB's login function from within "domain/server/login.php". If login is successful, want to receive SELECT * FROM MyBBprefix_users WHERE username == $data ->{'username'};
Hope i made sense.
Thanks in advance.