X-Git-Url: https://git.stderr.nl/gitweb?p=matthijs%2Fprojects%2Fwipi.git;a=blobdiff_plain;f=conf%2Fauth%2Fphpbb_login.py;fp=conf%2Fauth%2Fphpbb_login.py;h=dbf343edf3ea00302ec5cbc6cf2428f57f5de903;hp=0e93517fcec53092fdf227e50a051aec61412b35;hb=7c0a007a9220cff51fc3106452631a6ed7b21644;hpb=9eeb02a71ade8e842f54f8b3e91ed5675ea978a3

diff --git a/conf/auth/phpbb_login.py b/conf/auth/phpbb_login.py
index 0e93517..dbf343e 100644
--- a/conf/auth/phpbb_login.py
+++ b/conf/auth/phpbb_login.py
@@ -17,7 +17,7 @@ class phpbb_login(BaseAuth):
     logout_possible = True
     login_inputs    = ['username', 'password']
     
-    def __init__(self, name='phpbb', dbhost=None, dbuser=None, dbpass=None, dbname=None, dbport=None, hint=None):
+    def __init__(self, name='phpbb', dbhost=None, dbuser=None, dbpass=None, dbname=None, dbport=None, phpbb_prefix='', hint=None):
         """
             Authenticate using credentials from a phpbb database
 
@@ -30,6 +30,7 @@ class phpbb_login(BaseAuth):
         self.dbpass  = dbpass
         self.dbname  = dbname
         self.dbport  = dbport
+        self.phpbb_prefix = phpbb_prefix
         self.name    = name
         self.hint    = hint
     
@@ -42,9 +43,13 @@ class phpbb_login(BaseAuth):
         if not conn:
             return False
 
-        # Get some data
+        # Get some data. Note that we interpolate the prefix ourselves, since
+        # letting the mysql library do it only works with values (it adds ''
+        # automatically). Note also that this allows possible SQL injection
+        # through the phpbb_prefix variable, but that should be a trusted
+        # value anyway.
         cursor = conn.cursor ()
-        cursor.execute ("SELECT user_password,user_email FROM lex_users WHERE username=%s", username)
+        cursor.execute ("SELECT user_password,user_email FROM `%susers` WHERE username=%%s" % self.phpbb_prefix, username)
 
         # No data? No login.
         if (cursor.rowcount == 0):