MyBB Community Forums

MyBB Community Forums > Resources > Third Party Integration > External Login (PHP)
Full Version: External Login (PHP)
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

MnkyArts

2017-07-01, 05:38 PM
so im trying to create an external login for my Software. If the login is correct its echo 1 and if its incorrect it echo 0 but at the moment its just echo 1 Even if the login data is incorrect..

(i am new at php)

This is my Code:
<?php
define('IN_MYBB', NULL);
global $mybb, $lang, $query, $db, $cache, $plugins, $displaygroupfields;
require_once 'global.php';
require_once 'MyBBIntegrator.php';
$MyBBI = new MyBBIntegrator($mybb, $db, $cache, $plugins, $lang, $config); 

$action = $_GET['action'];

$username = ($_GET['username']);
$password = ($_GET['password']);

if(!$action)
{
	echo "Please enter an action.";
}
else
{	
	if($action == "login")
	{
		$login_status = $MyBBI->login($username, $password);
		
		if ($login_status == true)
		{
			echo "1";
		}
		else
		{
			echo "0";
		}
		
	}
	else
	{
		echo "Invalid action.";
	}
}

?>
So you log in: 
https://example.com/login.php?action=log...d=PASSWORD

i used the MyBBIntegrator

i hope someone can help me and sorry for the bad english, im german.

nth

2017-07-02, 07:25 PM
Be careful with this kind of things, accounts can be brute forced unless there's some sort of real security in place.

Have you checked what $login_status returns? Try using if ($login_status) { } else { }

maozao

2017-07-07, 04:38 PM
I dont know MyBBIntegrator, but some things that came to my mind:

- The code seems "OK", did you try to "logout" after the "login"? Because it will execute a login action, so your cookies etc might keep your session active, so if you are already logued in, probably it won't check your username/password again. If you think you are really not logued in and it keep returning "true", try to var_dump($login_status);die; before the "if" check and see what it's returning for real, since you are using "==" PHP might return true if you have some data in the variable.

- You MUST scape all data that comes from (mainly) external enviroment. (Google for string scape).

fizz

2017-07-08, 10:50 PM
That integrator is a nightmare trying to look through, but you really need to escape that data before you just try logging in with it. As far as I could tell trying to navigate the login method of the integrator class, it never actually sanitizes most of the data before it tries it on the database. So you're pretty ripe for SQL injection if you use it without sanitizing input.
MyBB Community Forums > Resources > Third Party Integration > External Login (PHP)