getting data out of SQL from smf-forum

[Rohan72]

Hi,
On my site I have a login/pasword protect memberarea. The login and password are provide by me and cannot be changed.
Now I want to set up a forum (SMF) in that memberarea. I register the members myself.
I was thinking about linking the login-script and the forum, so the members could sign in with the same password as in the forum. They also could change their password (for both membersarea and forum) in the forum.

The script I use to login works great. Now i tried to change the table name and column-name with those I found for SMF in the SQL-database. Now the script doesn't work anymore.

EDIT: I noticed that the password gets encrypted different by SMF. When i use the standard md5 encryption it gives a completely other result.

Anyone familiar with the SMF-way of encrypting to help me out?

Here is the login-script I use (in the inline comments you can see what I've changed from the original script)

PHP Code:

<?php
ob_start();
$host="localhost"; 
$username="blahblah"; 
$password="blahblah"; 
$db_name="blahblah"; 
$tbl_name="smf_members"; // my tablename used to be here.


mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");


$lid=$_POST['lid']; 
$pasw=$_POST['pasw']; 
 

$pasw_md5=md5($pasw);

session_start();
$_SESSION['lid'] = $lid;
$_SESSION['pasw_en'] = $pasw_md5;
$_SESSION['pasw'] = $pasw;

if (($lid == "bart") and ($pasw == "kaell"))
    header("location:index3.php");
else
$sql="
SELECT memberName, passwd FROM $tbl_name WHERE memberName='$lid' and passwd='$pasw_md5'";
// used to be SELECT * FROM $tbl_name WHERE lid='$lid' and pas_en='$pasw_md5'";

$result=mysql_query($sql);


$count=mysql_num_rows($result);


if($count==1){

file "login_success.php"
echo "Beste ", $lid, ", we verbinden u nu door...";
header("location:member.php");
}
else {
            echo "<span id='bainv2'>Verkeerde login en/of paswoord. Probeer opnieuw...</span><br>";    
            echo "<span id='bainv2'>klik op de knop om terug te gaan naar de website</span><br>";
            echo "<br>";    
            echo "<FORM><INPUT type='button' value='www.bluearmyneerpelt.be' onClick='history.back()'></FORM> ";    
    
}

ob_end_flush();
?>

[BLiZZaRD]

Yeah, SMF takes the password and encrypts it with MD5, THEN, it takes the username and places it inside the hash somewhere. THEN it encrypts the whole thing through MD5 again.

Good luck breaking that one. I have tried a few times and I can't get it.

Username: JIMMY
Pass: hello

SMF: hello=Hd896JiKshr + JIMMY = HMd8I9J6YJiKshMr
MD5 again = HSN&*DWjw974hwlkai94237HDhwieLlyud

SMF encryption... ugly....

[Rohan72]

hmm, then I guess the part where it does this should be somewhere in the script. then it could be rewritten to just store the password encrypted....

that means it's time to go through a "few" line of code and see if i can find it anywhere

[BLiZZaRD]

it's somewhere in the scriptS, plural. They have the breakdown over 5 files that I found, and I only got halfway through. I don't know how many there are total.

The best thing to do would be to just use the member tables for the forum, and make everything else work off of that, it would be a lot easier.

[Rohan72]

How about adding a field in the SMF-table that stores the password with just the md5 applied to it?
That way, the forum itself still uses its special encrypted pw and for the membersarea i could get the md5 pw.
Think that should work?

btw, any idea in which script smf writes to the db?

[BLiZZaRD]

You can make that work, yes. The problem is then that they would have to log in twice. Once to your pages and a second time to the forum.

I am not sure what you mean by which write to the DB, almost all of them connect and read/write to it for something or another.

I still think that you should take your log in script and point it to the password tables in SMF and just use those. You could do the same for the member names and then they would only log in once. You could still set it up and control it, but it would only be one log in.

[Rohan72]

Seems like a nice option, but i'm not that good with PHP. I can write small scripts (like sending e-mails, easy login scripts, etc.)

How should i do this then?

It looks to me that i have to take the whole loginscript from SMF and put it into the loginscript for my memberarea.

I would be grateful to get any help on how to do this. I understand how it should work, but actually putting this into script is a bit over my head.

It's 4 a.m. and this whole thing has kept me from sleeping the last few days... looks like i'm heading back to the "good old insomniac days" when i started with HTML (seems like ages ago)

[Rohan72]

Blizzard, are you familiar with the SSI-part of SMF?

I found a way to to include the loginbox from SMF into my homepage and let it redirect to the memberarea of my site.

The problem now is, is that I don't know how to protect the memberarea itself. Now everyone can get in by just typing the url in the adresbar.

Got some other minor problems with login/logout also, but i think i can get those fixed sometime.

[BLiZZaRD]

I try not to dabble in the extra efforts of SMF. I wrote a single mod for it and that took me a long while to complete. Now I just sit back and use it as-is.

but I found this page in their live docs pages. Maybe it will help?

You basically need to check their log in session (are they logged in or not) is_logged is one of them I know, there are others too, and based on those parameters you can allow them to see it or redirect to the log in page.