Checking VB Password Outside the Forum

[tsptom]

I have another area of my website that requires a login and sometimes members use a different password for this login than the one they use in the forum. This is probably frustrating for them as they try to remember which PW goes where.

I would like to be able to have them log into this other area using the PW they set up OR their forum PW if it is different.

I'm not sure exactly how this would be done but maybe something along these lines?

Quote:

SELECT *
FROM mytable m
where m.username= '". $_POST['username'] ."' and
(m.password='" . $_POST['Password'] . "' OR
'" . $_POST['Password'] . "' =
(SELECT md5(CONCAT(md5(v.password, salt)))
FROM user v
WHERE v.username = '". $_POST['username'] ."'))

I know it's wrong so whatever you can add would be appreciated.

Thanks

[kh99]

Well, to check if a username, password combination is valid in the vbulletin database, you'd do something like:

Code:

if ($entered_password == md5(md5($password) . $salt))
{
   // valid password
}

where $entered_password is the password that was entered, and $password and $salt are the fields from the vbulletin user table where the 'username' column equals the entered username. (I hope that makes sense).

I don't know how to write the code for you because I don't know the context of where you're trying to put it. But if I were doing it I'd probably do a couple 'SELECTS" to get the information I needed from the database, then write php to check (as opposed to doing it all in one sql statement, although that may be possible).

Also I wanted to mention that if you do write something like you posted above, don't use fields from $_POST[] directly in a query string because you don't know what they might contain. At the least, you should use mysql_real_escape_string() (or the equivalent if you're not using the mysql_* functions) to make sure any special characters are escaped.

[tsptom]

Thanks, I will try that.