adam.burst.net Posted February 28, 2011 Share Posted February 28, 2011 I am attempting to use the Remote API functions to insert an invoice for a client. I have tried over and over again but am having problems getting the Admin user to authenticate properly. when I run through the API call as specified by the API:Example_usage with: $username = 'api_user'; $password = md5('api_pass'); I get authentication errors, but if I copy and paste the hash directly from the database like: $username = 'api_user'; $password = '<DB_PASSWORD_FIELD_VALUE>'; the API call executes without a hitch. I am curious as to why this is happening and what I can do in order to fix it. 0 Quote Link to comment Share on other sites More sharing options...
jeremyhaber Posted March 1, 2011 Share Posted March 1, 2011 That is very odd. What does the md5 hash output? Is it generating the same hash that's in your database? If I were you I would just put the hash from the database directly into the code anyways. This is because if anyone ever gets their hands on this code of yours they only have a hash and not your password and the hash. Seems simply more secure to me 0 Quote Link to comment Share on other sites More sharing options...
adam.burst.net Posted March 1, 2011 Author Share Posted March 1, 2011 That is true, but the API user only has API access. So it wouldn't really matter if they got the hash or the password, they could still only use the API. They would never be able to log in. When using the md5() function in PHP, or the md5_hex() function in PERL, it always outputs a 32 character [0-9a-f] string. That string does not match the string stored in the tbladmins.password field. I have no idea why, but its been driving me nuts for a while now. Unfortunately, storing the Hash instead of the password is kind of a pain. I can't really get into details, but it is due to some oversights by a previous employee. 0 Quote Link to comment Share on other sites More sharing options...
jeremyhaber Posted March 3, 2011 Share Posted March 3, 2011 Can you encode some sample data and compare it to the md5 check here: http://www.miraclesalad.com/webtools/md5.php If the data does not match up, that means something has effected the md5 function on your site. 0 Quote Link to comment Share on other sites More sharing options...
deathrequest Posted March 3, 2011 Share Posted March 3, 2011 This should not be the case, as far as I am aware.. Possibly, a wrong password for the user than what you are assuming? Check this question on StackOverflow, and probably, something similar going on here? http://stackoverflow.com/questions/3783347/mysqls-md5-hash-is-incorrect 0 Quote Link to comment Share on other sites More sharing options...
adam.burst.net Posted March 3, 2011 Author Share Posted March 3, 2011 EUREKA! I have been at this for hours now trying to figure this thing out, and it is due to a problem with special characters. The password that I am using for the API user contains an ampersand(&). When WHMCS creates the user via the admin interface, the & character is likely filtered through 'htmlentities()', and then the MD5 is created. This means: <?php $password = 'abc&123'; $escaped_password = htmlentities($password); echo md5($password); // Does not match database hash echo md5($escaped_password); // Matches database hash ?> This means that when I construct my API call and I encode the plaintext password 'abc&123' it will not work because the MD5 sum expected by WHMCS is based on the password 'abc&123'. I would assume that this is a bug that would affect every other special character in passwords that wold be converted into HTML encoding. 0 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.