Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Solved: 4 Years, 1 Month, 1 Week ago Access MyBB database user table from my own php script
#1
Solved: 4 Years, 1 Month, 1 Week ago
Hi,

Installed MyBB 1.8.5 in "domain/forum/" directory.
I also have a "domain/server/" directory that contain some scripts.
I have a software that communicates with "domain/server/login.php" and if login credentials are accepted, it then returns some data to the software.

I been using a separate user table for login authentication, but after installing MyBB, I wanted to use same username/password of forum for the program, so:

$data = json_decode($_POST[user_data]);
$username = $data ->{'username'};
$password = $data ->{'password'};//md5 encoded password

$query = "SELECT username, salt, password, acc_t FROM MyBBprefix_users WHERE username = '$username';" ;
/*I went cheeky and added some additional columns into MyBB user table too, acc_t is one of them and I hope it wont cause me troubles in the long run*/

$r = mysqli_query($db_connection, $query);

if($r ==  TRUE){
	$user = mysqli_fetch_assoc($r);
	$encrypted_password = md5(md5($user['salt']). $password); //$password is MD5 encoded
	if(($user["password"] == $encrypted_password) && ($user['username'] == $username){
		$data = "";//some data according to acc_t 
		
	} else {
		$data = "";//some data for guest
	}
}

echo json_encode($data);
mysqli_free_result($r);
mysqli_close($db_connection);

Thing is, this script works fine. But I am not good at php and I fear sql injections and what not.
So, I was thinking that MyBB's built-in login routine will be more safer then I could ever write and if I somehow manage to use it, it will save me lots of headaches to validate user input. 


I want to use MyBB's login function from within "domain/server/login.php". If login is successful, want to receive SELECT * FROM MyBBprefix_users WHERE username == $data ->{'username'};

Hope i made sense.

Thanks in advance.
Reply
#2
Solved: 4 Years, 1 Month, 1 Week ago
why not let MyBB to handle its stuff like login, verification, database and everything else that belongs to it.

you can access it and or interact with it in your custom scripts like this :

<?php
// this is custom script 

// will connect to our MyBB
define("IN_MYBB", 1);
define('THIS_SCRIPT', 'mytestscript.php');
require_once "../forum/global.php";

// will even implement our own hooks for mybb that can be used by plugins
$plugins->run_hooks("mycustomscript_begin_stuff");

// and do our stuff
// for example lets see if user is loged in
if ($mybb->user['uid'] > 0) {
    // if he are, lets see his nick name    
    echo "loged in user name : ".$mybb->user['username'];
    // want to see whats more out there about this user ? try to   die(print_r($mybb->user));
} else {
    // his a guest we may redirect him to login screen
    redirect ($mybb->settings['bburl']."/member.php?action=login");
}

// and again how about a custom hook
$plugins->run_hooks("mycustomscript_end_stuff");


you can also use here all MyBB objects, functions and stuff
so answering your post title "how to access MyBB database user table from my own php script" you could do

	$query = $db->query('
			SELECT * FROM '.TABLE_PREFIX.'users
			WHERE uid = '.intval($mybb->user["uid"]).'
		');
Reply
#3
Solved: 4 Years, 1 Month, 1 Week ago
Thanks avril for your answer. I used following statement:


$username = "testuser"; //test account
   $query = $db->query('
            SELECT * FROM '.TABLE_PREFIX.'users
            WHERE username = '.$db->escape_string($username).'
        ');

and received following error:

Quote:MyBB has experienced an internal SQL error and cannot continue.

SQL Error:
1054 - Unknown column 'testuser' in 'where clause'
Query:
SELECT * FROM bb_prefix_users WHERE username = testuser


Any ideas?
Reply
#4
Solved: 4 Years, 1 Month, 1 Week ago
$username must be n double quotes I think, and I don't believe it is necessary to escape it

$username = "testuser"; //test account
   $query = $db->query('
            SELECT * FROM '.TABLE_PREFIX.'users
            WHERE username = "'.$username.'"
            ');
Regards, Ad Bakker (NL)
Reply
#5
Solved: 4 Years, 1 Month, 1 Week ago
Thank you Ad Bakker (and avril), 
I successfully retrieved the data from user table Smile 

Just last thing I want to confirm is: $username and $password are received from user, is it wise to use $username directly in query without sanitizing?

   $query = $db->query('
            SELECT * FROM '.TABLE_PREFIX.'users
            WHERE username = "'.$username.'"
            LIMIT 1');

or 

   $query = $db->query('
            SELECT * FROM '.TABLE_PREFIX.'users
            WHERE username = "'.$db->escape_string($username).'"
            LIMIT 1');


Yes, I've seen you saying that its not necessary to escape it... just want to make sure, call me paranoid Toungue
Reply
#6
Solved: 4 Years, 1 Month, 1 Week ago
(09-03-2015, 08:06 AM)rahat Wrote: Yes, I've seen you saying that its not necessary to escape it... just want to make sure, call me paranoid Toungue
Its a good habit to make sure that something is what it should be instead of assuming, especially when it comes to security.
I could even say - its a must which should be a habit.
Reply
#7
Solved: 4 Years, 1 Month, 1 Week ago
Thnx guys, did I mention MyBB community is awesome?
Friendly community.
Quick response.
To the point guidance.
what else one can ask?
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)