I'd like to how exactly I can insert variables like the logged in user's information into the header. I'd like to know if I can get the username, password, and "group" (a.k.a. Member, Moderator, Super Moderator, or Administrator).
I don't know if this is the right forum to post such a question, but could someone please help me? I figured I'd find this on the Wiki, but I didn't.
Here's an example of what I'm looking for:
Template: header
What's up, {$username}! Your password is {$password} and you are a {$groupname}!
only obviously I won't be just displaying the password like that.
The info for the current user is stored in the array $mybb->user
Some common ones you may be interested in:
$mybb->user['uid']
$mybb->user['username']
$mybb->user['email']
$mybb->user['avatar']
You can only display the hashed password using $mybb->user['password'], but since it is one-way hashed with MD5, you can't display the original unencrypted password.
The info for the current user's usergroup is stored in the array $mybb->usergroup.
I think the following shows the group name, but this is just off the top of my head.
$mybb->usergroup['title']
OK, but there's an alternate way to grab the password, because I could write an additional query after registration (I posted a question on the topic
here) that would store the plaintext version of the password in a separate MySQL table, associate it with the user's username, and then call it later from my new script to send it if needed through a POST header, or simply through an embedded query.
<?php
mysql_connect(...);
mysql_select_db(...);
mysql_query("SELECT * FROM myscript_mybbusers WHERE username = " . $username . ";");
and then locate the password.
Thanks for the variable names!
Storing the password as plain text isn't a good idea. If someone managed to find a way to inject SQL into your forum, then they could somehow get access to that one table, and get the users' raw password, and then log in as that user. It presents a big security risk.
(2008-06-30, 07:13 PM)DennisTT Wrote: [ -> ]The info for the current user is stored in the array $mybb->user
Some common ones you may be interested in:
$mybb->user['uid']
$mybb->user['username']
$mybb->user['email']
$mybb->user['avatar']
You can only display the hashed password using $mybb->user['password'], but since it is one-way hashed with MD5, you can't display the original unencrypted password.
The info for the current user's usergroup is stored in the array $mybb->usergroup.
I think the following shows the group name, but this is just off the top of my head.
$mybb->usergroup['title']
Sure he can
Don't fool people like that LOL
U can reverse md5 LOL
MD5 is a hash, hashes are one way. The only way to break an MD5 has is by brute-force.
Yes, brute-force. But this isn't a complete solution also. No one can guarantee it to break. Breaking hashes may takes years depending on characters in the hash and length of hash.
(2008-06-30, 08:51 PM)dikidera Wrote: [ -> ]Sure he can
Don't fool people like that LOL
U can reverse md5 LOL
His solution works much better than yours, albeit at the cost of security. Your solution will make your users wait for days for their own password to be cracked.
(2008-06-30, 10:17 PM)DennisTT Wrote: [ -> ] (2008-06-30, 08:51 PM)dikidera Wrote: [ -> ]Sure he can
Don't fool people like that LOL
U can reverse md5 LOL
His solution works much better than yours, albeit at the cost of security. Your solution will make your users wait for days for their own password to be cracked.
Correction:
Her solution.
I think I've got a workaround because I created my own encryption system instead of md5(). It's less secure, but I encrypt everything using a random set of character replacements. It'll at least take a while for anyone to decrypt it without knowing the key. It's pretty basic (albeit long). It's sort of like this:
str_replace("A", "#", $pass);
str_replace("B", "@", $pass);
str_replace("C", "8", $pass);
str_replace("D", "u", $pass);
etc., etc. before storing it in the database, then I use a reverse of the script to decrypt the password.
Like I said, it's crappy, but it's better then raw, right?
...Right? I hope so.
I don't think anyone will be SQL-injecting anyway, so I'll probably be fine.