Creating a new user registration account via Webhook

[Tyrone Shum]

Hi,

I am trying to add a new user to Xenforo 2.0 forum after they have processed their payment information details inside Thrivecart. (Payment gateway).

I have the following details and I'm able to parse this into Xenforo:
- Email address
- Username

What I'm having a problem is creating a new random password they can use to log into to their new account. Then send their username and password via email to the new registered user.

Can someone help and take a look at the SQL code and see what I'm missing please?

<?php
$host = "127.0.0.1";
$user = "xxx";
$pass = "xxx";
$database = "xxx";
$conn = mysqli_connect($host,$user,$pass, $database);
if (!$conn) {
    echo "Error: Unable to connect to MySQL." . PHP_EOL;
    echo "Debugging errno: " . mysqli_connect_errno() . PHP_EOL;
    echo "Debugging error: " . mysqli_connect_error() . PHP_EOL;
    exit;
}

if($_POST){

  $newusername = ucFirst($_POST['customer']['first_name'])."".ucFirst($_POST['customer']['last_name']);
  $newemail = $_POST['customer']['email'];

  $v_query = "SELECT count(*) as count FROM `xf_user` WHERE `email` = '".$newemail."'";

  if($res=mysqli_query($conn, $v_query)){
    $result = mysqli_fetch_assoc($res);
    if($result['count'] > 0){
      die;
    }
  }

  #run query
  $query = "INSERT INTO `xf_user` (`user_id`, `username`, `email`, `custom_title`, `language_id`, `style_id`, `timezone`, `visible`, `activity_visible`, `user_group_id`, `secondary_group_ids`, `display_style_group_id`, `permission_combination_id`, `message_count`, `conversations_unread`, `register_date`, `last_activity`, `trophy_points`, `alerts_unread`, `avatar_date`, `avatar_width`, `avatar_height`, `avatar_highdpi`, `gravatar`, `user_state`, `is_moderator`, `is_admin`, `is_banned`, `like_count`, `warning_points`, `is_staff`, `secret_key`) VALUES (NULL, '".$newusername."', '".$newemail."', '', '1', '0', 'Australia/Sydney', '1', '1', '2', '', '2', '6', '0', '0', '".time()."', '0', '0', '0', '0', '0', '0', '0', '', 'valid', '0', '0', '0', '0', '0', '0', '')";

  mysqli_query($conn, $query);

  $userid = mysqli_insert_id($conn);

  $query2 = "INSERT INTO `xf_user_profile` (`user_id`, `dob_day`, `dob_month`, `dob_year`, `signature`, `website`, `location`, `following`, `ignored`, `avatar_crop_x`, `avatar_crop_y`, `about`, `password_date`) VALUES ('".$userid."', '0', '0', '0', '', '', '', '', 'a:0:{}', '0', '0', '', '0')";

  mysqli_query($conn, $query2);
}
?>

Also if this helps, this was the original code that worked in Xenforo 1.5. But it no longer works and I want to create something similar for Xenforo 2.0:
https://gist.github.com/anonymous/6fe2f36d721da8ccce2cb5c7262c93bb

Many thanks

Hi,

I wanted to give more context as I wasn't clear in my first post...

I am trying to add a new user to Xenforo 2.0 forum after they have processed their payment information details inside Thrivecart. (Payment gateway).

I have the following details and I'm able to parse this into Xenforo:
- Email address
- Username

What I'm having a problem is creating a new random password they can use to log into to their new account. Then send their username and password via email to the new registered user.

Can someone help and take a look at the code and see what I'm missing please?

It appears the way the user's password is stored is located in a different table on the database and I don't have a clue how to add it and encrypt it? It's some BLOB link...

<?php
$host = "127.0.0.1";
$user = "xxx";
$pass = "xxx";
$database = "xxx";
$conn = mysqli_connect($host,$user,$pass, $database);
if (!$conn) {
    echo "Error: Unable to connect to MySQL." . PHP_EOL;
    echo "Debugging errno: " . mysqli_connect_errno() . PHP_EOL;
    echo "Debugging error: " . mysqli_connect_error() . PHP_EOL;
    exit;
}

if($_POST){

  $newusername = ucFirst($_POST['customer']['first_name'])."".ucFirst($_POST['customer']['last_name']);
  $newemail = $_POST['customer']['email'];

  $v_query = "SELECT count(*) as count FROM `xf_user` WHERE `email` = '".$newemail."'";

  if($res=mysqli_query($conn, $v_query)){
    $result = mysqli_fetch_assoc($res);
    if($result['count'] > 0){
      die;
    }
  }

  #run query
  $query = "INSERT INTO `xf_user` (`user_id`, `username`, `email`, `custom_title`, `language_id`, `style_id`, `timezone`, `visible`, `activity_visible`, `user_group_id`, `secondary_group_ids`, `display_style_group_id`, `permission_combination_id`, `message_count`, `conversations_unread`, `register_date`, `last_activity`, `trophy_points`, `alerts_unread`, `avatar_date`, `avatar_width`, `avatar_height`, `avatar_highdpi`, `gravatar`, `user_state`, `is_moderator`, `is_admin`, `is_banned`, `like_count`, `warning_points`, `is_staff`, `secret_key`) VALUES (NULL, '".$newusername."', '".$newemail."', '', '1', '0', 'Australia/Sydney', '1', '1', '2', '', '2', '6', '0', '0', '".time()."', '0', '0', '0', '0', '0', '0', '0', '', 'valid', '0', '0', '0', '0', '0', '0', '')";

  mysqli_query($conn, $query);

  $userid = mysqli_insert_id($conn);

  $query2 = "INSERT INTO `xf_user_profile` (`user_id`, `dob_day`, `dob_month`, `dob_year`, `signature`, `website`, `location`, `following`, `ignored`, `avatar_crop_x`, `avatar_crop_y`, `about`, `password_date`) VALUES ('".$userid."', '0', '0', '0', '', '', '', '', 'a:0:{}', '0', '0', '', '0')";

  mysqli_query($conn, $query2);
}
?>

Much appreciated and hope someone can help?

Thanks,

 

[Jeremy P]

Initialize XF and use the framework instead. Something like (untested):

<?php

// bootstrap framework
$dir = __DIR__;
require($dir . '/src/XF.php');

XF::start($dir);

// create user
/** @var \XF\Service\User\Registration $registration */
$registration = XF::service('XF:User\Registration');
$registration->setFromInput([
    // set values
]);
// validation, etc...
$user = $registration->save();

// log visitor in as new user
$this->session()->changeUser($user);
\XF::setVisitor($user);

/** @var \XF\ControllerPlugin\Login $loginPlugin */
$loginPlugin = $this->plugin('XF:Login');
$loginPlugin->createVisitorRememberKey();

Passing unsanitized input to queries like this is extremely dangerous:

$newemail = $_POST['customer']['email'];

$v_query = "SELECT count(*) as count FROM `xf_user` WHERE `email` = '".$newemail."'";

If someone submitted a request to this endpoint with name@example.com'; DROP TABLE `xf_user`;-- as the email, you would lose your user table. (And that's on the more harmless side of things, they could fairly trivially dump your entire database.)

 

[Artur1339]

Initialize XF and use the framework instead. Something like (untested):

<?php

// bootstrap framework
$dir = __DIR__;
require($dir . '/src/XF.php');

XF::start($dir);

// create user
/** @var \XF\Service\User\Registration $registration */
$registration = XF::service('XF:User\Registration');
$registration->setFromInput([
    // set values
]);
// validation, etc...
$user = $registration->save();

// log visitor in as new user
$this->session()->changeUser($user);
\XF::setVisitor($user);

/** @var \XF\ControllerPlugin\Login $loginPlugin */
$loginPlugin = $this->plugin('XF:Login');
$loginPlugin->createVisitorRememberKey();

Passing unsanitized input to queries like this is extremely dangerous:

$newemail = $_POST['customer']['email'];

$v_query = "SELECT count(*) as count FROM `xf_user` WHERE `email` = '".$newemail."'";

If someone submitted a request to this endpoint with name@example.com'; DROP TABLE `xf_user`;-- as the email, you would lose your user table. (And that's on the more harmless side of things, they could fairly trivially dump your entire database.)

Hey is there also a methode to login there the API and validating username and password

 

[Jeremy P]

Hey is there also a methode to login there the API and validating username and password

Check out the user login service. You can look at the public login controller (XF\Pub\Controller\Login::actionLogin()) to see how to use it.

 

[Tyrone Shum]

Thanks @Jeremy P.