Jump to content


  • Content Count

  • Joined

  • Last visited

  • Days Won


string last won the day on December 16 2021

string had the most liked content!

Community Reputation

34 Excellent

About string

  • Rank

Recent Profile Visitors

6499 profile views
  1. I know this doesn't help you, but because there are critical bugs in practically every major WHMCS release, you should at least wait until the first patch to update. But yeah, someone with a lot of courage has to take the first step. 🤷‍♂️ Unfortunately there is a good chance that the cause of this problem is not up to you and can only be fixed by a hotfix. If I were you, I would first make sure that the new files has been uploaded correctly (esp. the file "pop.php") and if it does not solve the issue and the WHMCS support can't help either, restore the backup of the previous WHMCS version (if the import functionality is mission critical for you). As more and more data changes in the database over time (new orders, etc.), I would hurry with the recovery decision.
  2. This idea is a good example of security through obscurity. If you want to protect yourself from unwanted changes in files, a HIDS should be installed, such as OSSEC. A HIDS can detect filesystem changes, take actions and send notifications. However, a complex HIDS also requires some administration and configuration. If this is too demanding, you can also write a simple shell script that checks the hash values of the existing data and also checks whether new data has been added. Otherwise I find it a good practice to have the WHMCS directory in a version control system like Git. This not only allows you to see what customizations you have made (helpful when performing updates), but it also allows you to see all the changes in the WHMCS directory.
  3. It is unlikely that the error reporting settings have any effect on whether ModSecurity blocks something or not. error reporting has no effect on the request / response, except that if there is an error in the response, the error is included. The problem with the OWASP ruleset is that they are quite restrictive. From my experience, even with widely used applications like WordPress. The solution to your problem is to either customize the rules in question, or disable them for the affected domain or URL. If you disable them, you should check if it is an important rule. If changing the rulesets is an option, I would recommend Atomicorp. The rules are really well maintained and the price is ok. Atomicorp also offers a free version of their rules, but not all rules are included and the free ruleset is not updated that often: https://atomicorp.com/atomic-modsecurity-rules/
  4. I have made this script for importing products: That should give you a good sample which you can rewrite. Regarding adding clients, I wouldn't recommend a manual CSV import via phpMyAdmin, because you need to import data not only in tblclients, but also in tblusers. And you can't set the password via a MySQL import. Use the AddClient API instead.
  5. Great work 🙂 pRieStaKos is right, the type should be checked. The problem is, for example, if the invoice line is about a domain and the domain ID matches with an ID in tblhosting, a wrong value will be inserted. And I have 2 general suggestions: Use type casting for integers. Some servers still uses old mysqlnd drivers, which returns everything as string, even if the column is a integer. However, because of the "if ($dedicatedIP === '') return;" check it doesn't matter in this case. I would trim the $dedicatedIP variable. While WHMCS automatically trims the IP field in newer versions, this was not the case in older versions and I think it is always a good idea to trim fields if it makes sense. And one never know what WHMCS admins do manually in the database. Whitespaces are conceivable.
  6. The AfterModuleCreate hook could be used too. It returns all relevant data. And there is also AfterModuleTerminate, which can be used to remove the tags from AC when the service is terminated. For domains, you can use PreDomainRegister / PreDomainTransfer. However, there is no hook that is executed when a domain has expired or transferred out. I guess it would be the best to do it via a cronjob, also because manual status changes are not captured at "AfterModuleTerminate", as the terminate module function is not triggered and a combination of serveral hooks would be necessary. A cronjob would ensure that the data in AC is always correct.
  7. Unfortunately there are multiple issues in the code. And it's unsafe, i will quote myself regarding mysql_real_escape_string: I have rewritten this hook for you: <?php use WHMCS\Service\Service; add_hook('AdminClientServicesTabFields', 1, function($vars) { try { $getService = Service::findOrFail($vars['id']); } catch (Exception $e) { return; } $getPassword = localAPI('DecryptPassword', ['password2' => $getService['password'] ]); if ($getPassword['result'] !== 'success') { return; } $username = $getService['username']; $password = $getPassword['password']; $domain = $getService['domain']; if (empty(trim($domain))) { $domain = $getService->serverModel['hostname']; } echo " <script> jQuery(document).ready(function() { jQuery('#inputPassword').closest('tr').after(` <tr> <td class='fieldlabel' width='20%'>Live Site FTP URL</td> <td class='fieldarea'>{$username} {$password} and so on</td> </tr> <tr> <td class='fieldlabel' width='20%'>Server FTP URL</td> <td class='fieldarea'>{$username} {$password} and so on</td> </tr> `); }); </script> asdfasdfsafs "; }); You just need to update the output according to your needs 🙂
  8. I agree with steven99 regarding the mail logs and would just like to add: This can be prevented by increasing the priority of the hook, e.g. replacing "1" with "999". And if the sending of a mail is cancelled by a hook, it will be noted in the WHMCS Activity Log as well.
  9. EncryptPassword / DecryptPassword does not work with user passwords, these passwords are stored as one-way hashes in the database. These hashes can not be decrypted. And EncryptPassword can not be used to set a user password. Passwords like the SMTP password are stored using a two-way encryption, because WHMCS must be able to get the real password to login to the SMTP server.
  10. I'm sorry if you felt offended by my comment, that was not my intention and I think we all agree that contributions are welcome. I just want to point out that throwing around not-working code doesn't help anyone. Especially with a user who is obviously not as experienced in PHP as you are. He wouldn't even know how to execute a raw SQL query, that is the reason for my previous comment. A 2 page topic of untested code and "try this, try that" (IMHO) makes the thread confusing and if someone else faces the same problem, they would have to take each "fix" one by one until they end up with the right code. Therefore I agree with you that it is better to wait with the answer until you are not busy with other work. That distracts from the work anyway 😜 I also wish you happy holidays.
  11. Yes, that will definitely help him 🙄 Alright, simple: https://pastebin.com/eBZ2r294 (I couldn't paste the code into the community, the firewall of WHMCS blocks my request) This will give you back the "Server Location" configurable option value, if a value exist. I used the Hook "ClientAreaHeaderOutput" so you can see the result directly at the client area. Don't do that on your public WHMCS installation. You can use the same code to show the value of "Server Location" on the WHMCS homepage. Let me know if you need assistance to get the product name.
  12. It's nice that you share a solution to your own question 🙂 I want to note: This update query is insecure and makes you vulnerable to SQL injections. I cannot say to which extent this can actually be exploited (because "On ... wrote:" must be at the end), but it is an avoidable security risk as mysql_real_escape_string does not protect against all kinds of SQL injections. And mysql_real_escape_string has been removed from recent PHP versions. As far i know, WHMCS has rebuilt this function so it still works, but they may remove it in a later version. Instead i suggest to update the row as follow: Capsule::table('tblticketreplies')->where('id', $vars['replyid'])->update([ 'message' => $message ]); No escaping is required, from the docs: About the regex: I would have concerns about false positives. It might be a good idea to require that the next line must contain the character ">" and that the number of characters between "On" and "wrote:" must not exceed XX chars.
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated