SMF in WordPress

For some reason, while using WordPress and including SMF’s SSI.php, it would not detect my logged in SMF session. Baffled and almost thinking this was a SMF bug of some sorts, I began to debug this process.

Well it turns out it is sorta a SMF old PHP support issue, but the problem lies in WordPress. This is the function in WordPress wp-includes/load.php

 * Add magic quotes to $_GET, $_POST, $_COOKIE, and $_SERVER.
 * Also forces $_REQUEST to be $_GET + $_POST. If $_SERVER, $_COOKIE,
 * or $_ENV are needed, use those superglobals directly.
 * @access private
 * @since 3.0.0
function wp_magic_quotes() {
        // If already slashed, strip.
        if ( get_magic_quotes_gpc() ) {
                $_GET    = stripslashes_deep( $_GET    );
                $_POST   = stripslashes_deep( $_POST   );
                $_COOKIE = stripslashes_deep( $_COOKIE );
        // Escape with wpdb.
        $_GET    = add_magic_quotes( $_GET    );
        $_POST   = add_magic_quotes( $_POST   );
        $_COOKIE = add_magic_quotes( $_COOKIE );
        $_SERVER = add_magic_quotes( $_SERVER );

        // Force REQUEST to be GET + POST.
        $_REQUEST = array_merge( $_GET, $_POST );

The problem here, is that they add magic quotes to the cookie. Not quite sure why they are even doing this. But it broke adding SMF. The part in SMF which failed because of this is in SMFs Sources/Load.php in the loadUserSettings function

		// Fix a security hole in PHP 4.3.9 and below...
		if (preg_match('~^a:[34]:\{i:0;(i:\d{1,6}|s:[1-8]:"\d{1,8}");i:1;s:(0|40):"([a-fA-F0-9]{40})?";i:2;[id]:\d{1,14};(i:3;i:\d;)?\}$~i', $_COOKIE[$cookiename]) == 1)
			list ($id_member, $password) = @unserialize($_COOKIE[$cookiename]);
			$id_member = !empty($id_member) && strlen($password) > 0 ? (int) $id_member : 0;
			$id_member = 0;

Because of old PHP support in SMF, its trying to combat a cookie security issue that existed below PHP 4.3.9. Now I don’t use that version, but I rather not strip out the code. The preg match was failing because it was not finding that valid string in the cookie. Since all the double quotes where escaped with a slash \.

For my code, I called in Settings.php from SMF and then did a stripslashes on the cookie. Then I included SSI.php, with the results I expected of it finding my active SMF session.

		require_once(pBS::get('smf_dir') . '/Settings.php');
		if (isset($_COOKIE[$cookiename]))
			$_COOKIE[$cookiename] = stripslashes($_COOKIE[$cookiename]);

		require_once(pBS::get('smf_dir') . '/SSI.php');

I should note because SMF uses a lot of global variables, that I had to globalize all of those before hand. I just borrowed the globals from SSI.php and put them into that scripts function.


  1. Can I plly this to smf 1.1 ?

    I’ve try to do this in my wordpress header, and the result was:

    Warning: require_once(/QueryString.php): failed to open stream: No such file or directory in /home/www/ on line 62 Fatal error: require_once(): Failed opening required ‘/QueryString.php’ (include_path=’.:/usr/local/php/lib/php’) in /home/www/ on line 62

    Any ideas?

    • Check your SMF Settings.php file, that usually means that the $sourcedir is missing or isn’t defined. Its also possible the function you are using it in didn’t global $sourcedir.

  2. Thanks a lot man. Great job.

    Same error. My sourcedir isn’t missing and its defined. But if you add this line
    if (isset($_COOKIE[$cookiename]))
    $_COOKIE[$cookiename] = stripslashes($_COOKIE[$cookiename]);
    right after

    require_once(dirname(__FILE__) . ‘/Settings.php’);

    in ssi.php it will work. But now logout doesn’t work.

    • I would assume this would be based on how you generated the session link. I haven’t tested passing login/out data through from WordPress. My code was to get SMF sessions to be recognized while working in a WordPress base

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.