MyBB Community Forums

MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.4 > MyBB 1.4 General Support > pointing my login script to mybb_users
Full Version: pointing my login script to mybb_users
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

golith

2010-07-02, 08:10 PM
Hi
I have pointed my script to the table and it works .. kinda
if i copy paste the password as it is encrypted then i can get into my site

but when i use type it in myself it wont work

$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

// encrypt password
$encrypted_mypassword=md5($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$encrypted_mypassword";

all attempts have failed this far

anyhelp would be appreciated

regards golith

Brains

2010-07-02, 09:06 PM
You'll want to do something like $sql = "SELECT * FROM $tbl_name WHERE username='".$myusername."'";
Then you'll want to fetch the rows and do something like:
while ($row = mysql_fetch_array($query)) {
$encrypted_password = md5(md5($mypassword) . md5($row['salt']));
if ($row['password'] == $encrypted_password) {
$loggedin = true;
}
}

Something along the lines of that, I took all that code from a snippit of Java I have, so the syntax might not be correct. I would find the method that MyBB uses and just copy that over and make changes from there, don't worry about coding your own. You could also use Bob Jansen's way of doing it, you can read about it Here.

Matt

2010-07-02, 09:44 PM
You don't want to use stripslashes, what if someone has a / in their username or password??

Why not just include global.php and then you'll have all the MyBB functions for getting information on a user and seeing if they're logged in??

golith

2010-07-03, 08:38 PM
Thank-you both for your comments. After sleeping on it and writing a short program I found that the password is double encrypted salt with a single encrypted passowrd to get the final solution .. i will in the future be including global.php but for now I need to get basic functionality for my website. im only a newbie with php but have learnt heaps whilst reading the code.

regards
Golith
here is the final solution
does anyone have any extra comments to secure this any further?
<?php
ob_start();

include (db.php);

// username and password sent from form 
$myusername=$_POST['username']; 
$mypassword=$_POST['password'];

// To protect MySQL injection
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

// we have the salt generated at time of registration
// sql query to get from db
$query="SELECT salt FROM $tbl_name WHERE username='$myusername'"; 
$result=mysql_query($query); 
$row = mysql_fetch_assoc($result); 
$salted = $row['salt'];

// then double encrypted salt with single md5 password
$saltedpw = md5(md5($salted).md5($mypassword));

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$saltedpw'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);

if($count==1)
{
	session_register('username');
	$_SESSION['username'] = $_POST['username'];
	session_register('authorized');
	$_SESSION['authorized'] = true;

	header("location:login_success.php");
}
else {
	header("location:index.html");
}
ob_end_flush();
?>
MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.4 > MyBB 1.4 General Support > pointing my login script to mybb_users