Skip to content

Instantly share code, notes, and snippets.

@roachadam
Created September 8, 2017 03:57
Show Gist options
  • Save roachadam/029fc9b97611bf1a3f46db4c2400a0b9 to your computer and use it in GitHub Desktop.
Save roachadam/029fc9b97611bf1a3f46db4c2400a0b9 to your computer and use it in GitHub Desktop.
Verifies username/password combo for a MyBB user, and checks if they are in a specific group.
<?php
require_once('./db.php'); // Your pdo sql datbase file
if(!isset($_GET['username']) || !isset($_GET['password']))
die('null');
$user = $_GET['username'];
$pass = $_GET['password'];
// TABLENAME = Your mybb sql table name
$usr = $db->prepare("SELECT username FROM TABLENAME WHERE username=:u LIMIT 1");
$usr->execute(array(":u" => $user));
$result = $usr->fetch(PDO::FETCH_ASSOC);
if(count($result) == 0 || empty($result))
die('Invalid user.');
$pw = $db->prepare("SELECT salt,password,usergroup FROM mybb_users WHERE username=:u LIMIT 1");
$pw->execute(array(":u" => $user));
$result = $pw->fetch(PDO::FETCH_ASSOC);
if(count($result) == 0 || empty($result))
die('Invalid password.');
$salt = $result["salt"];
$dbPass = $result["password"];
$pass = md5(md5($salt).md5($pass));
if(!hash_equals($dbPass, $pass))
die('Invalid password.');
// Check subscription
// Usergroup numbers may vary.
if($result['usergroup'] != 8 && $result['usergroup'] != 4) // subscriber or admin
die('No subscription');
die('valid'); // valid mybb user with "subscription" or admin status
?>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment