Skip to content

Instantly share code, notes, and snippets.

Forked from sharkiller/xf_auth.php
Created January 17, 2014 14:40
Show Gist options
  • Save radie1230/8474457 to your computer and use it in GitHub Desktop.
Save radie1230/8474457 to your computer and use it in GitHub Desktop.
Script for XenForo 1.X
Tested with: 1.0.X, 1.1.X
Created by: #SG# Sharkiller
Verion: 0.2
## Variables ##
# Reject all connections exept this IP.
$remoteip = ""; // Minecraft server IP
# Database info
$db_server = '';
$db_user = '';
$db_passwd = '';
$db_name = '';
# Name of the custom field of XenForo where the Minecraft nicknames are stored.
$field = 'MCUSER';
# Minecraft nicks ignored from successful message
$ignore = array("admin1","admin2"); // Admin nicknames ignored from broadcast message on login.
## Messages ##
$msg = array(
"login_successful" => "§8%s §7has logged in. Forum account: §8%s",
"user_not_exist" => "§6§kasdasd§4 ¿The user exist? §6§kasdasd",
"player_not_exist" => "§4§kasdas§6 Nick not associated in forum. §4§kasdas",
"user_banned" => "§6§kasdasd§4 The user is banned. §6§kasdasd",
"wrong_data" => "§6Fail to read the user data. Contact an admin!",
"wrong_password" => "§4¡Wrong password! §6 Use §a/login forum-password"
// Don't change bellow this if you don't know //
## Security check ##
if(($_SERVER['REMOTE_ADDR'] != $remoteip && !isset($_SERVER['HTTPS']))
|| !isset($_POST['pass']) || !isset($_POST['user']) || !isset($_POST['action'])) {
header("HTTP/1.0 403 Forbidden");
$nickname = $_POST['user'];
$password = $_POST['pass'];
$action = $_POST['action'];
# Response message
function done($msg, $template = "ERROR\n%s"){
global $mysqli;
printf($template, $msg);
# Ignore users from successfull message.
function ignore($nick){
global $ignore;
if(in_array($nick, $ignore))
return true;
return false;
## Only support login for now ##
# login, register, online, offline
if($action != "login"){
header("HTTP/1.0 403 Forbidden");
## Code here ##
# Init MySQL connection
$mysqli = new mysqli($db_server, $db_user, $db_passwd, $db_name);
# Obtain user data (UserID, DataBlob) from Minecraft Nickname.
$stmt = $mysqli->prepare("SELECT `data`, `user_id` FROM `xf_user_authenticate` WHERE `user_id` = (SELECT `user_id` FROM `xf_user_field_value` WHERE `field_value` = '$nickname' AND `field_id` = '$field') LIMIT 1") or done('MySQL Error 1');
$stmt->bind_result($data, $user_id);
$success = $stmt->fetch();
# Check if a user have the nickname associated
# Obtain user data (Username, Ban Status) from UserID.
$stmt = $mysqli->prepare("SELECT `username`, `is_banned` FROM `xf_user` WHERE `user_id` = $user_id LIMIT 1") or done('MySQL Error 2');
$stmt->bind_result($username, $is_banned);
$success = $stmt->fetch();
# Check if user exist
# Check if banned
if($is_banned == 1)
# Check and read user data blob
if(preg_match("/\"([a-z0-9]{64})\".*\"([a-z0-9]{64})\"/", $data, $matches) == 0)
# Hashing password for XenForo
$hashforo = $matches[1];
$salt = $matches[2];
$hashpass = hash("sha256", hash("sha256", $password).$salt);
# Wrong password
if($hashforo != $hashpass)
# Login Successful
$message = "";
$message = printf($msg["login_successful"], $nickname, $username);
done($message, "YES\n%s");
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment