Hi guys

I'm trying to create a login system on my site that uses the login information from my phpBB forum. I'm having trouble retrieving the password hash from the forum database. I'm a bit of a newbie to php so am a bit lost. Thanks in advanced.

<?php

//include functions.php/function.php
include ("functions.php");

//ob
ob_start();

//session
session_start();

$username = addslashes(strip_tags(strtolower($_POST['username'])));
$password = addslashes(strip_tags($_POST['password']));

if (empty($username) == FALSE && empty($password) == FALSE) {

//connect
  $con=mysqli_connect("localhost","client106959","******","EMUAS");
// Check connection
if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }
$find = mysqli_query($con, "SELECT * FROM user WHERE username_clean='$username'"); 
$find_row = mysqli_fetch_array($find);
//grab password
$password_hash = $find_row['user_password'];


echo ($username);
echo ($password);
echo ($password_hash);
}
else{
    echo ('<script type="text/javascript">
 alert("Please Enter a Username and Password");
  </script>');
  header("Location: {$_SERVER['HTTP_REFERER']}");
  }

mysqli_close($con);

?>
Member Avatar for diafol
$find = mysqli_query($con, "SELECT * FROM users WHERE username_clean='$username' LIMIT 1"); 
if($find_row = mysqli_fetch_array($find)){
    //grab password
    $password_hash = $find_row['user_password'];
    echo $password_hash;
}

try that - notice the 'users' instead of 'user' for table name. Also use a LIMIT 1 to halt searching after a hit. The conditional on assignment should avoid having to test the value of $find_row separately.

Ahh thank you so much, works perfectly now. Just one more thing how do I get the alert to show up before the redirect? (line 35-38)

You want to give the user an alert and then redirect him? Why not redirect him and then give him the alert? :)

Member Avatar for diafol

Is the alert "totally necessarily essential"? If not, leave it out. There's nothing more annoying than an alert popup. :(

Well that's not quite true, but you get my drift.

I changed the redirect so it jsut went to the home page. Main reason for the alerts was mainly to say if they made a mistake.

Member Avatar for diafol

Less is sometimes better. A client-side validator on your forms can save a lot of hassle of incorrectly formatted input. Ajax can appear to save the user time (reload and paint page) with incorrect login particulars. You can always format the message to your styling too - not like those horrible browser/system alerts.

Why not use phpBB's own code?

https://www.phpbb.com/kb/article/phpbb3-cross-site-sessions-integration/

Plus...

$username = utf8_normalize_nfc(request_var('user', '', true));
$password = utf8_normalize_nfc(request_var('password', '', true));
$autologin = (!empty($_POST['autologin'])) ? true : false;

$result = $auth->login($username, $password, $autologin);

if ($result['status'] == LOGIN_SUCCESS)
{
    $reason = "Login successful";
}
else
{
    $reasons=array(
        'LOGIN_ERROR_PASSWORD'=>'Wrong password',
        'LOGIN_ERROR_USERNAME'=>'Unknown user',
        'NO_PASSWORD_SUPPLIED'=>'Provide password'
        );
    if(isset($reasons[$result['error_msg']]))$reason=$reasons[$result['error_msg']];
    else $reason=$result['error_msg'];
}
echo $reason;

And remember to set cookie-settings (in forum ACP) to include path where site resides. For example, if site is in example.com, and forum is in example.com/forum, set cookie's domain to /.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.