Login API / Injection Safety

[Fr3DBr]

Hi, guys.

 

Is the login API from whmcs, safe to use without sanity checking on user supplied strings ?

[sentq]

it should be

[Fr3DBr]

it should be

 

The "should" in the sentence is what makes me afraid haha.

[sentq]

your question has no guaranteed answer

 

why don't you try to inject it and see what happens

[Fr3DBr]

your question has no guaranteed answer

 

why don't you try to inject it and see what happens

 

I would like to get a reply from whmcs staff, as their documentation doesn't says anything about it anyways.

[sentq]

I would like to get a reply from whmcs staff, as their documentation doesn't says anything about it anyways.

you need to contact them directly, I hope they will not redirect you back to the forum

[WHMCS ChrisD]

Hello Fr3DBr,

 

Whilst yes the login API is safe to use without sanity checking we do not recommending this and encourage you to always sanitise information.

[Fr3DBr]

Hello Fr3DBr,

 

Whilst yes the login API is safe to use without sanity checking we do not recommending this and encourage you to always sanitise information.

 

We do this, although since it interfere a bit with the login procedure, I'd like to know if we can only do not do this when using the Login API, get it ? Everything else is sanitised.