User Authentication Script For Vbulletin

This is a simple user authentication script I recently put together for a site that I frequent. It allows developers to authorize user input against a standard Vbulletin database. The user input is passed to the php file via url parameters (auth.php?user=x&pass=x). This can easily be modified to work with other types of databases. The hashing of the incoming password value and the use of user group ids are the only things specific to Vbulletin. If the user is found, the passwords match, and the user is in the designated usergroup, the php will output a 0. If the pass fails, the user is not found, or the user is not in one of the designated usergroups, the php will output a 1. The database variables need to be filled in at the top and you will need to edit the field names in the sql queries to use this. Please give me credit as the original author if you are going to use this script.


<?php
/**
VBulletin Subscriber Authentication System
Written By Precise (9/21/09)
auth.php?user=xxxxx&pass=xxxxx
*/
// The database variable definitions go here
$dbuser = "";
$dbpass = "";
$dbname = "";
$dbtable = "";
$sqlhost = "";
// Connect to the mysql database so you can query it
mysql_connect($sqlhost,$dbuser,$dbpass);
@mysql_select_db($dbname);
//Get the url parameters and then sql escape them to prevent sql injections
$userurl = request_var('user', "");
$passurl = request_var('pass', "");
$userin = mysql_real_escape_string($userurl);
$passin = mysql_real_escape_string($passurl);
// Check to make sure the php was passed a user and pass
if($userin == ""){
echo "1";
mysql_close();
die();
}
if($passin == ""){
echo "1";
mysql_close();
die();
}
// Query to pull out the hashed password from the table
$query = "SELECT `vbpassword` FROM `$dbtable` WHERE `vbusername` = \"$userin\"";
$qdata = mysql_query($query);
$data = mysql_fetch_row($qdata);
$userpass = $data[0];
// Query to pull out the salt value for the given user
$query = "SELECT `vbsalt` FROM `$dbtable` WHERE `vbusername` = \"$userin\"";
$qdata = mysql_query($query);
$data = mysql_fetch_row($qdata);
$salt = $data[0];
// This is how vbulletin hashes passwords before it saves them
$hashedpass = MD5( MD5( $passin ) . $salt );
// If the pass matches the one in the db the php outputs 0, otherwise it outputs 1
//echo("<html><body>indata:$userin/$passin<br>dbpass:$userpass<br>salt:$salt<br>hash:$hashedpass</html></body>");
if ($userpass == $hashedpass){
$query = "SELECT `vbgroupid` FROM `$dbtable` WHERE `vbusername` = \"$userin\"";
$qdata = mysql_query($query);
$data = mysql_fetch_row($qdata);
$substatus = $data[0];
// Check user level, remove the if and just echo 0 to skip
if ($substatus == "5" || $substatus == "6" || $substatus == "10" || $substatus == "17"){ echo "0";}
else{ echo "1";}
}
else{ echo "1";}
mysql_close();
die();
// Functions to get the request variables from the url parameters
/**
* set_var
* taken from phpbb 3.0.5 functions.php
* used to set a url parameter variable
*/
function set_var(&$result, $var, $type, $multibyte = false)
{
settype($var, $type);
$result = $var;
if ($type == 'string')
{
$result = trim(htmlspecialchars(str_replace(array("\r\n", "\r"), array("\n", "\n"), $result), ENT_COMPAT, 'UTF-8'));
if (!empty($result))
{
// Make sure multibyte characters are wellformed
if ($multibyte)
{
if (!preg_match('/^./u', $result))
{
$result = '';
}
}
else
{
// no multibyte, allow only ASCII (0-127)
$result = preg_replace('/[\x80-\xFF]/', '?', $result);
}
}
$result = (STRIP) ? stripslashes($result) : $result;
}
}
/**
* request_var
* taken from phpbb 3.0.5 functions.php
* used to get a passed url parameter value
*/
function request_var($var_name, $default, $multibyte = false, $cookie = false)
{
if (!$cookie && isset($_COOKIE[$var_name]))
{
if (!isset($_GET[$var_name]) && !isset($_POST[$var_name]))
{
return (is_array($default)) ? array() : $default;
}
$_REQUEST[$var_name] = isset($_POST[$var_name]) ? $_POST[$var_name] : $_GET[$var_name];
}
if (!isset($_REQUEST[$var_name]) || (is_array($_REQUEST[$var_name]) && !is_array($default)) || (is_array($default) && !is_array($_REQUEST[$var_name])))
{
return (is_array($default)) ? array() : $default;
}
$var = $_REQUEST[$var_name];
if (!is_array($default))
{
$type = gettype($default);
}
else
{
list($key_type, $type) = each($default);
$type = gettype($type);
$key_type = gettype($key_type);
if ($type == 'array')
{
reset($default);
$default = current($default);
list($sub_key_type, $sub_type) = each($default);
$sub_type = gettype($sub_type);
$sub_type = ($sub_type == 'array') ? 'NULL' : $sub_type;
$sub_key_type = gettype($sub_key_type);
}
}
if (is_array($var))
{
$_var = $var;
$var = array();

foreach ($_var as $k => $v)
{
set_var($k, $k, $key_type);
if ($type == 'array' && is_array($v))
{
foreach ($v as $_k => $_v)
{
if (is_array($_v))
{
$_v = null;
}
set_var($_k, $_k, $sub_key_type);
set_var($var[$k][$_k], $_v, $sub_type, $multibyte);
}
}
else
{
if ($type == 'array' || is_array($v))
{
$v = null;
}
set_var($var[$k], $v, $type, $multibyte);
}
}
}
else
{
set_var($var, $var, $type, $multibyte);
}
return $var;
}
?>

Hey Precise! This is almost exactly what I needed!

Quick question. I'm trying to get this to work for an external site to authenticate my users when they input their username and password.

What is the full url that I would enter as the authenticating url?

Is it a GET or a POST request.

What should I set my username & password field variables to?

One more odd thing. This API is looking for a response of 1 for successful login, and 0 for a failed login. It looks like your script returns the opposite. What can I change to fix that?

I'm also getting an error when I try to send it a parameter.


<br />
<b>Warning</b>: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in <b>/var/www/vhosts/controlbooth.com/httpdocs/forums/ea.php</b> on line <b>35</b><br />
<br />
<b>Warning</b>: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in <b>/var/www/vhosts/controlbooth.com/httpdocs/forums/ea.php</b> on line <b>40</b><br />
0"

What is the full url that I would enter as the authenticating url? Is it a GET or a POST request? It's a GET request with url parameters. You would enter the site url, the name of the php file (auth.php in the example), and the parameters like this: http://www.site.com/auth.php?user=ohi&pass=hi


What should I set my username & password field variables to? You set the database variables to their corresponding values, username is the database username and password is the database password value.


One more odd thing. This API is looking for a response of 1 for successful login, and 0 for a failed login. It looks like your script returns the opposite. What can I change to fix that? Change: echo "1"; -> echo "0"; and: echo "0"; -> echo "1";