Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4
  1. #1
    New to the CF scene
    Join Date
    Sep 2009
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts

    User Authentication Script For Vbulletin

    This is a simple user authentication script I recently put together for a site that I frequent. It allows developers to authorize user input against a standard Vbulletin database. The user input is passed to the php file via url parameters (auth.php?user=x&pass=x). This can easily be modified to work with other types of databases. The hashing of the incoming password value and the use of user group ids are the only things specific to Vbulletin. If the user is found, the passwords match, and the user is in the designated usergroup, the php will output a 0. If the pass fails, the user is not found, or the user is not in one of the designated usergroups, the php will output a 1. The database variables need to be filled in at the top and you will need to edit the field names in the sql queries to use this. Please give me credit as the original author if you are going to use this script.

    PHP Code:
     <?php
    /**
    VBulletin Subscriber Authentication System
    Written By Precise (9/21/09)
    auth.php?user=xxxxx&pass=xxxxx
    */
    // The database variable definitions go here
    $dbuser "";
    $dbpass "";
    $dbname "";
    $dbtable "";
    $sqlhost "";
    // Connect to the mysql database so you can query it
    mysql_connect($sqlhost,$dbuser,$dbpass);
    @
    mysql_select_db($dbname);
    //Get the url parameters and then sql escape them to prevent sql injections
    $userurl request_var('user'"");
    $passurl request_var('pass'"");
    $userin mysql_real_escape_string($userurl);
    $passin mysql_real_escape_string($passurl);
    // Check to make sure the php was passed a user and pass
    if($userin == ""){
        echo 
    "1";
        
    mysql_close();
        die();
        }
    if(
    $passin == ""){
        echo 
    "1";
        
    mysql_close();
        die();
        }   
    // Query to pull out the hashed password from the table
    $query "SELECT `vbpassword` FROM `$dbtable` WHERE `vbusername` = \"$userin\"";
    $qdata mysql_query($query);
    $data mysql_fetch_row($qdata);
    $userpass $data[0];
    // Query to pull out the salt value for the given user
    $query "SELECT `vbsalt` FROM `$dbtable` WHERE `vbusername` = \"$userin\"";
    $qdata mysql_query($query);
    $data mysql_fetch_row($qdata);
    $salt $data[0];
    // This is how vbulletin hashes passwords before it saves them
    $hashedpass MD5MD5$passin ) . $salt );
    // If the pass matches the one in the db the php outputs 0, otherwise it outputs 1
    //echo("<html><body>indata:$userin/$passin<br>dbpass:$userpass<br>salt:$salt<br>hash:$hashedpass</html></body>");
    if ($userpass == $hashedpass){
        
    $query "SELECT `vbgroupid` FROM `$dbtable` WHERE `vbusername` = \"$userin\"";
        
    $qdata mysql_query($query);
        
    $data mysql_fetch_row($qdata);
        
    $substatus =  $data[0];
        
    // Check user level, remove the if and just echo 0 to skip
        
    if ($substatus == "5" || $substatus == "6" || $substatus == "10" || $substatus == "17"){ echo "0";}
        else{ echo 
    "1";}
        }
    else{ echo 
    "1";}
    mysql_close();
    die();
    // Functions to get the request variables from the url parameters
    /**
    * set_var
    * taken from phpbb 3.0.5 functions.php
    * used to set a url parameter variable
    */
    function set_var(&$result$var$type$multibyte false)
    {
        
    settype($var$type);
        
    $result $var;
        if (
    $type == 'string')
        {
            
    $result trim(htmlspecialchars(str_replace(array("\r\n""\r"), array("\n""\n"), $result), ENT_COMPAT'UTF-8'));
            if (!empty(
    $result))
            {
                
    // Make sure multibyte characters are wellformed
                
    if ($multibyte)
                {
                    if (!
    preg_match('/^./u'$result))
                    {
                        
    $result '';
                    }
                }
                else
                {
                    
    // no multibyte, allow only ASCII (0-127)
                    
    $result preg_replace('/[\x80-\xFF]/''?'$result);
                }
            }
            
    $result = (STRIP) ? stripslashes($result) : $result;
        }
    }
    /**
    * request_var
    * taken from phpbb 3.0.5 functions.php
    * used to get a passed url parameter value
    */
    function request_var($var_name$default$multibyte false$cookie false)
    {
        if (!
    $cookie && isset($_COOKIE[$var_name]))
        {
            if (!isset(
    $_GET[$var_name]) && !isset($_POST[$var_name]))
            {
                return (
    is_array($default)) ? array() : $default;
            }
            
    $_REQUEST[$var_name] = isset($_POST[$var_name]) ? $_POST[$var_name] : $_GET[$var_name];
        }
        if (!isset(
    $_REQUEST[$var_name]) || (is_array($_REQUEST[$var_name]) && !is_array($default)) || (is_array($default) && !is_array($_REQUEST[$var_name])))
        {
            return (
    is_array($default)) ? array() : $default;
        }
        
    $var $_REQUEST[$var_name];
        if (!
    is_array($default))
        {
            
    $type gettype($default);
        }
        else
        {
            list(
    $key_type$type) = each($default);
            
    $type gettype($type);
            
    $key_type gettype($key_type);
            if (
    $type == 'array')
            {
                
    reset($default);
                
    $default current($default);
                list(
    $sub_key_type$sub_type) = each($default);
                
    $sub_type gettype($sub_type);
                
    $sub_type = ($sub_type == 'array') ? 'NULL' $sub_type;
                
    $sub_key_type gettype($sub_key_type);
            }
        }
        if (
    is_array($var))
        {
            
    $_var $var;
            
    $var = array();
     
            foreach (
    $_var as $k => $v)
            {
                
    set_var($k$k$key_type);
                if (
    $type == 'array' && is_array($v))
                {
                    foreach (
    $v as $_k => $_v)
                    {
                        if (
    is_array($_v))
                        {
                            
    $_v null;
                        }
                        
    set_var($_k$_k$sub_key_type);
                        
    set_var($var[$k][$_k], $_v$sub_type$multibyte);
                    }
                }
                else
                {
                    if (
    $type == 'array' || is_array($v))
                    {
                        
    $v null;
                    }
                    
    set_var($var[$k], $v$type$multibyte);
                }
            }
        }
        else
        {
            
    set_var($var$var$type$multibyte);
        }
        return 
    $var;
    }
    ?>
    Last edited by Precise; 09-24-2009 at 03:22 AM.

  • #2
    New to the CF scene
    Join Date
    Nov 2009
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Hey Precise! This is almost exactly what I needed!

    Quick question. I'm trying to get this to work for an external site to authenticate my users when they input their username and password.

    What is the full url that I would enter as the authenticating url?

    Is it a GET or a POST request.

    What should I set my username & password field variables to?

    One more odd thing. This API is looking for a response of 1 for successful login, and 0 for a failed login. It looks like your script returns the opposite. What can I change to fix that?

  • #3
    New to the CF scene
    Join Date
    Nov 2009
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I'm also getting an error when I try to send it a parameter.

    Code:
    <br />
    <b>Warning</b>:  mysql_fetch_row(): supplied argument is not a valid MySQL result resource in <b>/var/www/vhosts/controlbooth.com/httpdocs/forums/ea.php</b> on line <b>35</b><br />
    <br />
    <b>Warning</b>:  mysql_fetch_row(): supplied argument is not a valid MySQL result resource in <b>/var/www/vhosts/controlbooth.com/httpdocs/forums/ea.php</b> on line <b>40</b><br />
    0"

  • #4
    New to the CF scene
    Join Date
    Sep 2009
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by dvsDave View Post
    What is the full url that I would enter as the authenticating url? Is it a GET or a POST request?
    It's a GET request with url parameters. You would enter the site url, the name of the php file (auth.php in the example), and the parameters like this: http://www.site.com/auth.php?user=ohi&pass=hi


    Quote Originally Posted by dvsDave View Post
    What should I set my username & password field variables to?
    You set the database variables to their corresponding values, username is the database username and password is the database password value.


    Quote Originally Posted by dvsDave View Post
    One more odd thing. This API is looking for a response of 1 for successful login, and 0 for a failed login. It looks like your script returns the opposite. What can I change to fix that?
    Change:
    Code:
    echo "1";  ->  echo "0";
    and:
    Code:
    echo "0";  -> echo "1";
    Last edited by Precise; 11-13-2009 at 06:00 PM.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •