Remove Password From Order Form and send Password via Email to clients

[Syed Ans Shah]

hi everyone,

i  am newbie here at WHMCS. i am running WHMCS v7.7 .1

i want to remove password from the Order Form. i have seen post in the whmcs community and i can/have hide password like this:

<input type="hidden" name="address2" style="width:80%;" value="NA" />

or

<input type="hidden" name="password" id="inputNewPassword1" class="field" placeholder="{$LANG.clientareapassword}" value="{$generatedpassword}">

but still the error comes and cannot submit the order.

 

My Use Case is following:

1. i dont want to get password from clients at Order Form. instead i want to email them their generated Password.

2. i have server which is using seperate password to use my services. meaning there are 2 passwords right now. One for WHMCS Client Area that user enters in the order form and Second the service password that i generate and send via email. SO I WANT THESE TWO to be same as Clients get Confused.

 

Please tell me What to do and how to generate automatic ONE password for Both? that is Client Password and Service Password and send it to the client VIA email.

i would be really thankful to you.

[Syed Ans Shah]

23 hours ago, Syed Ans Shah said:

hi everyone,

i  am newbie here at WHMCS. i am running WHMCS v7.7 .1

i want to remove password from the Order Form. i have seen post in the whmcs community and i can/have hide password like this:

<input type="hidden" name="address2" style="width:80%;" value="NA" />

or

<input type="hidden" name="password" id="inputNewPassword1" class="field" placeholder="{$LANG.clientareapassword}" value="{$generatedpassword}">

but still the error comes and cannot submit the order.

 

My Use Case is following:

1. i dont want to get password from clients at Order Form. instead i want to email them their generated Password.

2. i have server which is using seperate password to use my services. meaning there are 2 passwords right now. One for WHMCS Client Area that user enters in the order form and Second the service password that i generate and send via email. SO I WANT THESE TWO to be same as Clients get Confused.

 

Please tell me What to do and how to generate automatic ONE password for Both? that is Client Password and Service Password and send it to the client VIA email.

i would be really thankful to you.

dear @brian! and @WHMCS Lawrence,

i am hoping you guys can help me out in this too.

[Kian]

The {$generatedpassword} in the example you posted needs to be specified with an action hook. That said, you can make passwords equal with PreModuleCreate hook point.

Edited April 25, 2019 by Kian

[Syed Ans Shah]

20 minutes ago, Kian said:

The {$generatedpassword} in the example you posted needs to be specified with an action hook. That said, you can make passwords equal with PreModuleCreate hook point.

i added this hook as well but it says

"Please correct the following errors before continuing: You did not enter a password"

add_hook("PreModuleCreate", 1, function($vars){
   if ($vars['filename']!="cart"){
       return;
   }
   $passwordLength = 10;
   $characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
   $charactersLength = strlen($characters);
   $generatedPassword = '';
   for ($i = 0; $i < $passwordLength; $i++) {
       $generatedPassword .= $characters[mt_rand(0, $charactersLength - 1)];
   }  
   return array("generatedpassword" => $generatedPassword);  
});

 

Edited April 25, 2019 by Syed Ans Shah

[steven99]

Try returning "password" instead of generatedpassword . 

[WHMCS Lawrence]

What I would suggest here is using some custom logic like the above posters have mentioned to generate a random password for the client's password, and then use the PreModuleCreate hook point to do the same there too. The only gotcha is that the client's password is always stored using an one way encryption, so it isn't possible to decrypt and use it for that hook point. Also it is generally considered bad for security to use the same password in multiple locations, so I would strongly recommend against doing so. The safest option would be to generate default secure passwords for the client ordering process and then let WHMCS generate the service passwords as needed.

[Syed Ans Shah]

On 4/25/2019 at 11:05 PM, WHMCS Lawrence said:

What I would suggest here is using some custom logic like the above posters have mentioned to generate a random password for the client's password, and then use the PreModuleCreate hook point to do the same there too. The only gotcha is that the client's password is always stored using an one way encryption, so it isn't possible to decrypt and use it for that hook point. Also it is generally considered bad for security to use the same password in multiple locations, so I would strongly recommend against doing so. The safest option would be to generate default secure passwords for the client ordering process and then let WHMCS generate the service passwords as needed.

so you are suggesting that i should only generate the client password and let the whmcs generate the service password. okay that is good option too but problem is again the same that client has 2 password: client password and service password and they get confused which password to enter and where. i am sending the service password via email but can you tell me how to send the generate client password via email. i tried it but it gave me this

[Syed Ans Shah]

so finally i found the solution:

1. hide the password field in checkout.php >>>> /templates/orderforms/[your_cart]/checkout.tpl

 <input type="hidden" name="password" id="inputNewPassword1" class="field" placeholder="{$LANG.clientareapassword}" value="NA">

<input type="hidden" name="password2" id="inputNewPassword2" class="field" placeholder="{$LANG.clientareaconfirmpassword}" value="NA">

 

2. Add hook to change password of service and client

add_hook('PreModuleCreate', 0, function($vars)
    {
        $clientid = $_SESSION['uid'];
        $permitted_chars = 'abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ'; //ALLOWED CHARACHTERS
        function generate_string($input, $strength = 16) {
            $input_length = strlen($input);
    $random_string = '';
    for($i = 0; $i < $strength; $i++) {
        $random_character = $input[mt_rand(0, $input_length - 1)];
        $random_string .= $random_character;
    }
    return $random_string;  
}
$random_string = generate_string($permitted_chars, 8);

$command = 'ModuleChangePw';   //TO CHANGE SERVICE PASSWORD
$postData = array(
    'serviceid' => $vars['params']['serviceid'],
    'servicepassword' => $random_string,
);
$results = localAPI($command, $postData);

$command = 'UpdateClient'; //TO CHANGE/UPDATE CLIENT PASSWORD
$postData = array(
      'clientid' => $clientid,
      'password2' => $random_string,
    
);
 $adminUsername = 'YOUR_ADMIN'; //ADD YOUR ADMIN NAME HERE
$resultss = localAPI($command, $postData, $adminUsername);   
        return array(
            'password' => $random_string,
        );  
    }
);

 

 

3. Now the Client and Service password are same. so you can send the EMAIL to user with USERNAME AND SERVICE PASSWORD. which is same as Client password

in this way client doesnt have to remember 2 different password nor client has to get confused which password is used for which purpose.

cheers.

 

 

 

[WHMCS Lawrence]

That should work as expected 🙂

The main reason why I talked about keeping separate passwords is that sharing passwords between multiple logins (in this case their hosting service and the WHMCS client area) is considered a bad security practice and inadvisable. If their hosting service password was compromised somehow, the attacker now has a possible valid password to try on the client area, which they could then use to access it and possibly compromise their other services, domains, etc as well. Separate passwords helps to eliminate such a possibility.