phpbb_login: Make the table prefix configurable.

[matthijs/projects/wipi.git] / conf / auth / phpbb_login.py

diff --git a/conf/auth/phpbb_login.py b/conf/auth/phpbb_login.py
index 0e93517fcec53092fdf227e50a051aec61412b35..dbf343edf3ea00302ec5cbc6cf2428f57f5de903 100644 (file)
--- a/conf/auth/phpbb_login.py
+++ b/conf/auth/phpbb_login.py
@@ -17,7 +17,7 @@ class phpbb_login(BaseAuth):
     logout_possible = True
     login_inputs    = ['username', 'password']
     
-    def __init__(self, name='phpbb', dbhost=None, dbuser=None, dbpass=None, dbname=None, dbport=None, hint=None):
+    def __init__(self, name='phpbb', dbhost=None, dbuser=None, dbpass=None, dbname=None, dbport=None, phpbb_prefix='', hint=None):
         """
             Authenticate using credentials from a phpbb database
 
@@ -30,6 +30,7 @@ class phpbb_login(BaseAuth):
         self.dbpass  = dbpass
         self.dbname  = dbname
         self.dbport  = dbport
+        self.phpbb_prefix = phpbb_prefix
         self.name    = name
         self.hint    = hint
     
@@ -42,9 +43,13 @@ class phpbb_login(BaseAuth):
         if not conn:
             return False
 
-        # Get some data
+        # Get some data. Note that we interpolate the prefix ourselves, since
+        # letting the mysql library do it only works with values (it adds ''
+        # automatically). Note also that this allows possible SQL injection
+        # through the phpbb_prefix variable, but that should be a trusted
+        # value anyway.
         cursor = conn.cursor ()
-        cursor.execute ("SELECT user_password,user_email FROM lex_users WHERE username=%s", username)
+        cursor.execute ("SELECT user_password,user_email FROM `%susers` WHERE username=%%s" % self.phpbb_prefix, username)
 
         # No data? No login.
         if (cursor.rowcount == 0):