Domain field no longer accepts invalid domain

[tasgray]

Hello,

Since updating to V8.0 we have noticed that we can no longer use 'AddOrder' via the API when the domain is invalid. We have been populating the domain with an email address for many of our products and we are hoping to continue this practice.

Interestingly, if we place an order this way the API returns an error yet the order still gets placed. The dilemma here is that we no longer receive an order id in the response, which we need. For now we have worked around it but it would be great if the API returned the order id and a warning, rather than an error.

[yggdrasil]

3 hours ago, tasgray said:

Hello,

Since updating to V8.0 we have noticed that we can no longer use 'AddOrder' via the API when the domain is invalid. We have been populating the domain with an email address for many of our products and we are hoping to continue this practice.

Interestingly, if we place an order this way the API returns an error yet the order still gets placed. The dilemma here is that we no longer receive an order id in the response, which we need. For now we have worked around it but it would be great if the API returned the order id and a warning, rather than an error.

 

 

 

 

 

 

 

 

That was most likely a bug as some people probably expected the opposite, that the API should properly validate the input or fail. Since you are entering something else into that field, then the API is not what you want to use for this. The idea of the API is not to just save data to the database but sanitize and validate. Otherwise it would just be a fancy way to insert SQL queries to WHMCS.

This is what you want. You want a custom hook or code, that instead of using the API call, inserts the order directly to your database. This will need more work on your side but it's the only reasonable way I see to insert other things into a field, like emails into the domain field. I assume you are not doing this from the user side but using it for your own internal purpose? Because if you do, assuming someone is filling a form or something on their side that is executing this, then you will need to make sure it properly validates the input before inserting to the database or you could be open to SQL injection attacks.

I don't think WHMCS will fix this if this was a previous bug. I'm surprised reading this, that it was possible to just insert anything into the domain API order field which kind of defeats the API purpose. And what you described also seems another bug. The API call should fail if a field if missing, not add the order with missing data unless of course that field is optional in the API call.

Edited October 21, 2020 by yggdrasil