Authenticating Against the PHPBB Users Table

Return to authentication

Xataface is able to use the PHPBB users table to authenticate against so that, you can allow your users to log into your Xataface application using the same credentials as they use to access your PHPBB message forum. Achieving this level of integration requires 2 simple steps:

1. Set up the _auth section of your conf.ini file to reference the PHPBB users table and the correct username and password columns.
2. Specify the correct encryption on the password column. This step will be different for different versions of PHPBB.

PHPBB 2

PHPBB version 2 and lower simply use MD5 encryption on the password column, which Xataface supports natively via the encryption directive of the fields.ini file. Therefore we can set up our Xataface application to authenticate against our PHPBB2 database (assuming that our PHPBB is set up in the same database as our Xataface app) by doing the following:

1. Set up the [_auth] section of the conf.ini file as follows:

   [_auth]
   users_table = phpbb_users
   username_column = username
   password_column = user_password

2. Set up the user_password field to use md5 encryption in the tables/phpbb_users/fields.ini file

   [user_password]
   encryption=md5

That's it! Now you should be able to log into your Xataface application using the username/password from PHPBB.

PHPBB 3

PHPBB version 3 and higher uses a custom encryption function for the password column so it is a little more complicated (but not that much). Step one (the conf.ini file) is the same as for PHPBB version 2 listed above. The 2nd part, however, requires us to implement a custom serialization for the user_password field. So the steps are below:

1. Set up the [_auth] section of the conf.ini file as follows:

   [_auth]
   users_table = phpbb_users
   username_column = username
   password_column = user_password

2. Implement the user_password__serialize() method in your phpbb_users delegate class (i.e. the tables/phpbb_users/phpbb_users.php file):

   <?php
   class tables_phpbb_users {
       
   
       function user_password__serialize($password){
           $itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
           $sql = "select user_password from phpbb_users where username='".addslashes($_POST['UserName'])."'";
           $res = mysql_query($sql, df_db());
           if ( !$res ) throw new Exception(mysql_error(df_db()));
           $row = mysql_fetch_assoc($res);
           mysql_free_result($res);
           $hash = $this->_hash_crypt_private($password, $row['user_password'], $itoa64);
           return $hash;
       }
       
       
       /**
       * The crypt function/replacement
       */
       function _hash_crypt_private($password, $setting, &$itoa64)
       {
           $output = '*';
       
           // Check for correct hash
           if (substr($setting, 0, 3) != '$H$')
           {
               return $output;
           }
       
           $count_log2 = strpos($itoa64, $setting[3]);
       
           if ($count_log2 < 7 || $count_log2 > 30)
           {
               return $output;
           }
       
           $count = 1 << $count_log2;
           $salt = substr($setting, 4, 8);
       
           if (strlen($salt) != 8)
           {
               return $output;
           }
       
           /**
           * We're kind of forced to use MD5 here since it's the only
           * cryptographic primitive available in all versions of PHP
           * currently in use.  To implement our own low-level crypto
           * in PHP would result in much worse performance and
           * consequently in lower iteration counts and hashes that are
           * quicker to crack (by non-PHP code).
           */
           if (PHP_VERSION >= 5)
           {
               $hash = md5($salt . $password, true);
               do
               {
                   $hash = md5($hash . $password, true);
               }
               while (--$count);
           }
           else
           {
               $hash = pack('H*', md5($salt . $password));
               do
               {
                   $hash = pack('H*', md5($hash . $password));
               }
               while (--$count);
           }
       
           $output = substr($setting, 0, 12);
           $output .= $this->_hash_encode64($hash, 16, $itoa64);
       
           return $output;
       }
       
       /**
       * Encode hash
       */
       function _hash_encode64($input, $count, &$itoa64)
       {
           $output = '';
           $i = 0;
       
           do
           {
               $value = ord($input[$i++]);
               $output .= $itoa64[$value & 0x3f];
       
               if ($i < $count)
               {
                   $value |= ord($input[$i]) << 8;
               }
       
               $output .= $itoa64[($value >> 6) & 0x3f];
       
               if ($i++ >= $count)
               {
                   break;
               }
       
               if ($i < $count)
               {
                   $value |= ord($input[$i]) << 16;
               }
       
               $output .= $itoa64[($value >> 12) & 0x3f];
       
               if ($i++ >= $count)
               {
                   break;
               }
       
               $output .= $itoa64[($value >> 18) & 0x3f];
           }
           while ($i < $count);
       
           return $output;
       }
   
       
   
   }