0

I have two servers: A where WP is installed on one, and B where it's not. Application run on B is trying to use WP credentials for login. I have a login form on server B:

<h1>Login</h1>
<div>
<form class="forma" id="form" 
    action="login.php" method="POST">
  <div class="form-group">
    <label>Username</label>
        <input class="form-control" type="text" name="username" />
        <label>Password</label>
        <input class="form-control" type="text" name="password" />
  </div>
  <button class="submit btn btn-success" type="submit" name="login" value="Login">Login</button>
</form>

</div>
<?php
if (isset($_POST["login"])) {
    $params = array('username' => $_POST["username"], 'password' => $_POST["password"]);

$url = 'http://xxx/custom_login.php?' . http_build_query($params);
$curl_handle=curl_init();
    curl_setopt($curl_handle, CURLOPT_URL,$url);
    curl_setopt($curl_handle, CURLOPT_CONNECTTIMEOUT, 2);
    curl_setopt($curl_handle, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($curl_handle, CURLOPT_NOBODY, false);
    $query = curl_exec($curl_handle);
    curl_close($curl_handle);

    if ($query==1) {
        $_SESSION['loggedin'] = true;
        header ("location: index.php");
    }
    else {
        echo "error";
    }
}

?>

Now, on server A, there is a custom_login.php script:

<?php 
    require('wp-blog-header.php'); 
?>

<?php

$uid=$_GET["username"];
$pwd=$_GET["password"];

$user = wp_authenticate( $uid, $pwd );

if ( is_wp_error( $user ) ) {
    return 0;
}
else {
    return 1;
}

?>

No matter what I try to type, I don't get logged in, meaning my $query never gets to be 1. How do I get the return value with curl? Because this is clearly not working.

ivanacorovic
  • 2,669
  • 4
  • 30
  • 46

1 Answers1

0

custom_login.php is not returning any output. You can test this by going to example.com/custom_login.php?username=theUsername&password=thePassword.

You can change this by simply echoing what you want to use:

if ( is_wp_error( $user ) ) {
    echo 0;
    return;
}
else {
    echo 1;
    return;
}

Edit: As @unknown pointed out you generally don't want sensitive information in GET, also since the page performs an action you'd be better using POST.

Jim
  • 22,354
  • 6
  • 52
  • 80
  • 1
    Are you aware of hijacking..? Don't pass passwords or usernames directly in url... – Bruce Jun 16 '15 at 08:50
  • @Unknown You're right, I was working with the code the poster provided, I'll add a note advising using POST. – Jim Jun 16 '15 at 08:51
  • Thanks, @Jim, that answered my original question. And how should I pass username and password then? – ivanacorovic Jun 16 '15 at 08:54
  • 1
    @ivanacorovic You can get curl to POST the username/password instead. See here: http://stackoverflow.com/q/2138527/505722. `custom_login.php` can then use `$_POST`. – Jim Jun 16 '15 at 08:59
  • `curl_setopt($curl_handle, CURLOPT_POST, 1);` `curl_setopt($curl_handle, CURLOPT_POSTFIELDS, http_build_query(array('username'=> $_POST["username"], 'password'=>$_POST["password"])));` worked. Thanks – ivanacorovic Jun 16 '15 at 11:18