You're right I probably borrowed a couple lines of PunBB code for that - GPL is fine w/ me too. I was just trying to say that I really didn't care what people did with the code as before I never really gave permission for someone to use it.

2

(13 replies, posted in PunBB 1.2 show off)

Rickard wrote:

Nice job. Are you going to integrate the "look and feel" of the rest of the site into the forums? Shouldn't be too much problems.

Finally got around to integrating the "look and feel" for the 1.0 release of musikCube. It got to the front page of digg so some nice traffic this weekend (which is why I assume this thread got suddenly bumped from over a year ago).

http://digg.com/software/musikCube_1_0_Final_Released

Some nice improvements to musikCube also, check it out.

I will post a documented version some time soon. All the above code is licensed under modified BSD.

Here is the code I wrote for use at musikcube.com and lynbrooksd.net to synchronize & link authentication. There are hacks to the forum to redirect login & registration links also. Although this code is probably not directly applicable anywhere, this should give some quick insight to those looking to integrate PunBB.


Licensed under new BSD:

<?php
/**
 * 2005 Project Musik.
 * Authored by Rajiv Makhijani.
 *
 * Musik-Site Component File
 *  - 3rd Party User Integration -> PUNBB
 * 
 */

/** 
 * PUNBB Login
 *
 * @author Rajiv Makhijani <rajiv@lynbrooksd.net>
 * @package musiksite
 * @version 0.1
 * @lastupdated 9 April 2005
 * @access public
 * @copyright Rajiv Makhijani.
 *
 */
class Login_PUNBB
{
    
    function Login_PUNBB()
    {
        global $DB;
        define('PUNBB_CK', "fadfc7a5");
    }
    
    function doLogin($nick)
    {
        $this->doLogout();
         global $DB;
        $nick = addslashes(trim($nick));
                
        // Get PHPBB USERID        
        $query = "SELECT `id`, `password`, `save_pass` FROM punbb_users WHERE `username` LIKE '$nick'";
        $result = $DB->sqlQuery($query);
        if ($result == false) { return false; }
        $result = $DB->getNextRow($result);
        if (!isset($result['id'])) { return false; }
        $userid = $result['id'];
        $passhash = $result['password'];
        
        $expire = ($result['save_pass'] == '1') ? time() + 31536000 : false;
        setcookie('punbb_cookie', serialize(array($userid, md5(PUNBB_CK . $passhash))), $expire);
        
        return true;
    }
     
    function doLogout()
    {
        global $DB;
        
        $puncookie  = $_COOKIE['punbb_cookie'];        
        list($userid, $passhash) = @unserialize($puncookie);
        
        //serialize(array(1, md5(PUNBB_CK.$password_hash)))
        setcookie('punbb_cookie', "", 31536000, "/");
        
        // Remove user from "users online" list.
        $query = "DELETE FROM punbb_online WHERE user_id='$userid'";
        $result = $DB->sqlQuery($query);
        if ($result == false) { return false; }

        // Update last_visit (make sure there's something to update it with)
        $ctime = time();
        $query = "UPDATE punbb_users SET last_visit=$ctime WHERE id='$userid'";
        $result = $DB->sqlQuery($query);
        if ($result == false) { return false; }
        
        return true;
    }
    
    function setEmail($nick, $email)
    {
        global $DB;
        
        $nick = addslashes($nick);
        $email = addslashes($email);
        
        $query = "UPDATE punbb_users SET email = '$email' WHERE username LIKE '$nick'";
        
        $result = $DB->sqlQuery($query);
        if (!$result) { return false; }
        
        return true;
    }
    
    function setPassword($nick, $password)
    {
        global $DB;
        global $member;
        
        $nick = addslashes($nick);
        $password = $member->hashPassword($password);
        
        $query = "UPDATE punbb_users SET password = '$password' WHERE username LIKE '$nick'";
        
        $result = $DB->sqlQuery($query);
        if (!$result) { return false; }
        
        return true;
    }
    
    function setRealName($nick, $realname)
    {
        global $DB;
        
        $nick = addslashes($nick);
        $realname = addslashes($realname);
        
        $query = "UPDATE punbb_users SET realname = '$realname' WHERE username LIKE '$nick'";
        
        $result = $DB->sqlQuery($query);
        if (!$result) { return false; }
        
        return true;
    }
    
    function addUser($nick, $email, $password, $realname = "")
    {
        
        global $DB;
        global $member;
        
        $nick = addslashes($nick);
        $email = addslashes($email);
        $password = $member->hashPassword($password);
        $realname = addslashes($realname);
        
        $ctime = time();
        
        // Add User to User Table        
        $query = "INSERT INTO punbb_users
          (username, group_id, realname, password, email, email_setting, save_pass,
        timezone, language, style, registered, registration_ip, last_visit)
        VALUES
          ('$nick', '4', '$realname', '$password', '$email', '1', '1',
        '0', 'English', '', '$ctime', '0.0.0.0', '$ctime')";
        
        $result = $DB->sqlQuery($query);
        if (!$result) { return false; }
        
        $userid = $DB->getInsertID();
        
        return true;

    }
}
?>

5

(13 replies, posted in PunBB 1.2 show off)

Ataxy: actually I can't claim the credit of making musikCube, Casey Langen is the author of that amazing piece of software.  I just offered to make/run the website for him.

Paul: I think those messages were from when we were using phpBB, but I needed to figure that out anyways, Thanks!

-Rajiv

6

(13 replies, posted in PunBB 1.2 show off)

www.musikcube.com

I just got PunBB up and running with login integrated with the rest of the website.  Refreshing in comparison with the problematic phpBB we had running before.  Other than a couple initial problems, it was a smooth transition.  Thanks for making such a great forum software!

Plug:
musikCube is much more than an "mp3 player," it is a music "library." musikCube currently supports mp3, ogg, flac, and cd audio file formats. It also features an integrated cd ripper helping you take control of your music from the start. musikCube tries to stay as intuitive and attractive as possible without degrading the performance of your computer. We believe very strongly that your mp3 player should NOT exist only to be eye candy, but be a functional, cohesive part of your operating system. musikCube is the vanilla audio player for windows.

musikCube features include:

    * very low memory footprint
    * clean and intuitive user interface
    * blazing fast navigation
    * fully drag and drop compatible
    * powerful batch tagging
    * an integrated cross fader
    * an integrated cd ripper
    * dynamic playlists

7

(2 replies, posted in PunBB 1.2 troubleshooting)

thanks!

Hey,

I just moved from phpBB to PunBB, and I'm experiencing an odd issue.  The forum is at randomly showing Guest post multiple times.  Sometimes the same post shows up 2 or 3 times.  However, there is only one of the posts in the DB.  This appears to be some sort of display issue.  The forum is at http://musikcube.com/forums .  Any help is welcome.

Thanks,
Rajiv

Rickard requested some info on the MD5/other one way hash challenge system I sugested.... sorry for the delay, but heres a brief overview:

This is basically how a MD5 challenge works:

1) Server sends client (prints it in the JavaScript/hidden form field) a random challenge value and stores it in session
2) User enters password on this page which has the random server challenge value
3) When user submits form, client JavaScript hashes the challenge value with the password and submits it
4) Since the server has the challenge value stored in the session it can hash the stored user pass w/ the challenge value and see if it matches the submitted hash

If the password stored on the server is hashed, it may require a double hash on the client's side.

Basically this prevents someone who intercepts the hash over the network from reusing it to authenticate w/ the server since the challenge value will be different every time.

edit: if the client does not have JavaScript support you can make it optional; it will only put that one user at a slightly higher risk and not affect the general security

Just sending over the md5 is bad, you should use a MD5 challenge handshake system.  I had written an implementation in JS a while back.  I'm pretty sure Yahoo mail uses this method also.  If you need some help w/ this email me.

11

(26 replies, posted in Feature requests)

doing a md5(md5 actually reduces security because it increases the number of collisions.  as alternatively sugested, salting the password works much better.  one method to use is md5("unique_site_code" . $member_id . $password . $username);. something like that would be much harder to brute force assuming they have DB access.