phpbb3 to vb3.8 password importing

[peterska2]

ok, still having problems here, so open to a fresh set of eyes and maybe some more ideas.

My login.php file has had the following added to it

Code:

// added for phpbb3 login

$username = $vbulletin->GPC['vb_login_username'];

$getimporteduserid = $vbulletin->db->query_first("SELECT importuserid FROM " . TABLE_PREFIX . "user WHERE username = '" . $username . "' LIMIT 1;");

$checkforimportedpw = $vbulletin->db->query_first("SELECT user_password FROM phpbb_users WHERE user_id = '" . $getimporteduserid['importuserid'] . "' LIMIT 1;");

if ($getimporteduserid['importuserid'] != '0')
{
echo ($vbulletin->GPC['vb_login_username']);
echo("<br />phpbb password: ");
echo ($checkforimportedpw['user_password']);

//if ($checkforimportedpw == '')
//{
	// we need to divert to phpbb login by checking pw against the phpbb data and inserting this into the vbulletin record on successfull verification
	
	// add some phpbb code to do let us check the password
	
	include('./phpBB3Auth/controller.php');
	echo("<br />");
	echo ("Checking for imported PW");
	echo ("<br />");
//	echo ($vbulletin->GPC['vb_login_password']);
	echo("<br />");
	
	$ptpassword = $vbulletin->GPC['vb_login_password'];
	$phpBB3id = $getimporteduserid['importuserid'];
	
//	echo($vbulletin->GPC['vb_login_md5password']);
	
}	

/*
}
else
{
	// we can use vbulletin's login, so ignore all the above code!
	
}
*/
// end added code

This has been added after

Code:

	// can the user login?
	$strikes = verify_strike_status($vbulletin->GPC['vb_login_username']);

	if ($vbulletin->GPC['vb_login_username'] == '')
	{
		eval(standard_error(fetch_error('badlogin', $vbulletin->options['bburl'], $vbulletin->session->vars['sessionurl'], $strikes)));
	}

Then I have two included files:

phpBB3Auth/controller.php with the contents

Code:

<?php
//
// main php file for vBulletin authentication against old phpBB3 database
// (c) Hay Bouten - 2010
// (c) kerry schwab - 2010
//
error_reporting(E_ALL & ~E_NOTICE);
define('THIS_SCRIPT', 'controller.php');
// some basic requirements
require_once('./global.php');
require_once(DIR . '/includes/functions_login.php');
//require_once(DIR . '/phpBB3Auth/phpBB3config.inc.php');
// 13-06-2010 Hay Mod - Add some phpBB3 functions library
require_once(DIR . '/phpBB3Auth/phpBB3_functions.php');

global $vbulletin;
//
// if login form is admin or moderator login, don't use phpBB3 authentication
//
if(($vbulletin->GPC['logintype'] == "cplogin") || ($vbulletin->GPC['logintype'] == "modcplogin")) {
    return;
}
//
// get the username and password they typed into the form
//
$username=$vbulletin->GPC['vb_login_username'];
$password=$vbulletin->GPC['vb_login_password'];
$phpBB3DbPrefix = 'phpbb_';
//
// if there is no password submitted, return to vBulletin's auth
//
if ($password == '') {
    return;
}
//
// General flow:
// 1. We check if there's an 'importid' attribute for the username.
// 2. If there's not one, we return control to vBulletin to log them in.
// 3. If there is one, then we:       
//    a. auth against the old IPB database
//    b. if the auth worked, we sync their password, then
//       remove the 'importid' attribute from their vB user profile.
//       That means next time, they skip all of this via #1 and #2.
//    c. if the auth fails, we just return control to vBulletin
//       so that they can try again.
//

// create a user DM object 
// fetch the userinfo for the username they typed in
//  and load it into the user DM object
$userdata =& datamanager_init('User', $vbulletin, ERRTYPE_ARRAY);
$userid=fetch_userid_from_username($username);
if (!$userid) {
   // can't find this username in the vB user database
   return;
}
$userinfo=fetch_userinfo($userid);
$userdata->set_existing($userinfo);
  
// grab the old phpBB3id from the vB user table
// the vB 'impex' import utility created that field when
// converting from phpBB3
$phpBB3id=$userinfo['importuserid'];
echo("<br />phpBB3id = " . $phpBB3id . "<br />");
//

function phpBB3_auth($phpBB3id,$ptpassword) {
/*    require(DIR . '/phpBB3Auth/phpBB3config.inc.php');
    // $ptpassword is the plain text password they typed in
    $conn = mysql_connect($phpBB3DbHost,$phpBB3DbUser,$phpBB3DbPass);
    if (!$conn) {
        die("Unable to connect to DB: " . mysql_error());
    }
    if (!mysql_select_db($phpBB3DbName)) {
        die("Unable to select db $phpBB3DbName: " . mysql_error());
    }
    */
    $sql = sprintf("SELECT user_password, PWD_Synced FROM %susers
                      WHERE user_id = '%s'",
                    $phpBB3DbPrefix,mysql_real_escape_string($phpBB3id));

    $result = mysql_query($sql);
    if (!$result) {
        return FALSE;
    }
    $rows=mysql_num_rows($result); 
    if ($rows != 1) {
        // they either aren't in the old phpBB3 database, or they
        // are in there more than once. Either way, return FALSE
        echo("No phpbb record. <br />");
        return FALSE;
    }
    $user = mysql_fetch_assoc($result);
    mysql_free_result($result);
  //
  // See if the password was synced before.
  //
  $pwd_synced=$user['PWD_Synced'];
  if ($pwd_synced==1) {
        return FALSE;
    }

  //
  // now we use phpbb_check_hash() on the plaintext password that the user typed in, 
  // and compare it to the password hash in the phpBB3 database 
  //
    $storedpw=$user['user_password'];
    if (phpbb_check_hash($ptpassword,$storedpw)) {
        // they gave the right password !
        echo("Password Correct! <br />");
        return TRUE;
    } else {
    	echo("Password incorrect. <br />");
        return FALSE;
    } 
}


// try to auth the password they typed in against the
// old phpBB3 user table
//
if(phpBB3_auth($phpBB3id,$password)) {
    // the password they typed in matches the one in the old
    // phpBB3 table, so set their vB password to the one they typed in
    $userdata->set('password',$password);
    $userdata->pre_save();
    if (!empty($userdata->errors)) {
      // something went wrong...bail out back to vB's authentication
      foreach ($userdata->errors as $error ) {
      	echo($error);
      	echo("<br />");
         // you could log these errors here if you had trouble
      }
      return;
    } else {
      $userdata->save();
      // this changes the password in the old phpBB3 table to
      // 'SYNCED' so we don't bother syncing it again
      // uncomment to fix this later
      mark_phpBB3_synced($phpBB3id);
    }
    // return control to vB's auth, which will be able to log
    // them in now that the old phpBB3 password is synced to vB
    return;
} else {
    // the password they typed in didn't match what was in the 
    // old phpBB3 table, so just pass them up to vB to be authed 
    // there
    echo("Password did not match phpbb table. <br />");
    return;
}

//
// 
//
function mark_phpBB3_synced($phpBB3id) { 
/*    require(DIR . '/phpBB3Auth/phpBB3config.inc.php');
    $conn = mysql_connect($phpBB3DbHost,$phpBB3DbUser,$phpBB3DbPass);
    if (!$conn) {
        die("Unable to connect to DB: " . mysql_error());
    }
    if (!mysql_select_db($phpBB3DbName)) {
        die("Unable to select db $phpBB3DbName: " . mysql_error());
    }
    */
    $sql = sprintf("UPDATE %susers 
                    SET PWD_Synced ='1'
                    WHERE user_id='%s'
                    ",
                    $phpBB3DbPrefix, $phpBB3id);
    $result = mysql_query($sql);
}
//
// fetch_userid_from_username. function borrowed
// from some admincp code in vBulletin
//
function fetch_userid_from_username($username) {
        global $vbulletin;
        if ($user = 
            $vbulletin->db->query_first("SELECT userid 
                 FROM " . TABLE_PREFIX . "user WHERE username = '" . 
                 $vbulletin->db->escape_string(trim($username)) . "'")) {
                return $user['userid'];
        }
        else {
                return false;
        }
}
?>

and phpBB3Auth/phpbb3_functions.php with the contents

Code:

<?php
/**
* Some copied phpBB3 functions to get the password check done.
*
*/

/**
* Check for correct password
*
* @param string $password The password in plain text
* @param string $hash The stored password hash
*
* @return bool Returns true if the password is correct, false if not.
*/
function phpbb_check_hash($password, $hash)
{
	$itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
	if (strlen($hash) == 34)
	{
		return (_hash_crypt_private($password, $hash, $itoa64) === $hash) ? true : false;
	}
	return (md5($password) === $hash) ? true : false;
}

/**
* Encode hash
*/
function _hash_encode64($input, $count, &$itoa64)
{
	$output = '';
	$i = 0;

	do
	{
		$value = ord($input[$i++]);
		$output .= $itoa64[$value & 0x3f];

		if ($i < $count)
		{
			$value |= ord($input[$i]) << 8;
		}

		$output .= $itoa64[($value >> 6) & 0x3f];

		if ($i++ >= $count)
		{
			break;
		}

		if ($i < $count)
		{
			$value |= ord($input[$i]) << 16;
		}

		$output .= $itoa64[($value >> 12) & 0x3f];

		if ($i++ >= $count)
		{
			break;
		}

		$output .= $itoa64[($value >> 18) & 0x3f];
	}
	while ($i < $count);

	return $output;
}


/**
* The crypt function/replacement
*/
function _hash_crypt_private($password, $setting, &$itoa64)
{
	$output = '*';

	// Check for correct hash
	if (substr($setting, 0, 3) != '$H$')
	{
		return $output;
	}
	$count_log2 = strpos($itoa64, $setting[3]);

	if ($count_log2 < 7 || $count_log2 > 30)
	{
		return $output;
	}
	$count = 1 << $count_log2;
	$salt = substr($setting, 4, 8);

	if (strlen($salt) != 8)
	{
		return $output;
	}
	/**
	* We're kind of forced to use MD5 here since it's the only
	* cryptographic primitive available in all versions of PHP
	* currently in use.  To implement our own low-level crypto
	* in PHP would result in much worse performance and
	* consequently in lower iteration counts and hashes that are
	* quicker to crack (by non-PHP code).
	*/
	if (PHP_VERSION >= 5)
	{
		$hash = md5($salt . $password, true);
		do
		{
			$hash = md5($hash . $password, true);
		}
		while (--$count);
	}
	else
	{
		$hash = pack('H*', md5($salt . $password));
		do
		{
			$hash = pack('H*', md5($hash . $password));
		}
		while (--$count);
	}

	$output = substr($setting, 0, 12);
	$output .= _hash_encode64($hash, 16, $itoa64);

	return $output;
}
?>

The phpbb3config.inc.php file is not required as the phpbb tables and vb tables are in the same database, so references to that file have been commented out as second database connections are not required.

When attempting to log in with an imported user, the following is output from the echos

Attachment 141976

with the following normal error message
Attachment 141977

For some reason, despite lots of echos in the code to try and get more info as to what is happening and why it is failing, I'm not getting anywhere quick and just banging my head against the nearest wall (which the computer is also being threatened to be launched at!). It is probably something fairly simple, but it is starting to do my head in, and I can't give up as otherwise I am doomed to be stuck with phpbb3 forever as password resets are not an option as I explained in the first post.

I am open to any more pointers, suggestions, glaringly obvious errors being corrected, or otherwise.

Just for info too, this is a 3.8.3 site (installed wrong version, but anything that works on 3.8.3 should work on 3.8.7 too). vB4 is not an option (expired licenses) at this time, and renewing to upgrade will only happen if the issues are solved and the users are also happy, otherwise it is an expense that cannot be warranted. I think I might have access to 4.1 but not 100% sure, plus the fact that my vb4 access, is for forum only and blogs are being considered for the site which requires 3.8.x

oh, and obviously DISABLE_PASSWORD_CLEARING has been set in config.php too as otherwise it has no chance of working.