MrGeneral Posted June 28, 2023 Share Posted June 28, 2023 Hey there, I'm currently trying to build a frontend for WHMCS, instead of doing it via templates, as this doesn't allow exactly to change the look and feel, I'll just build a frontend, entirely separate to the WHMCS setup. So I'm trying to validate the login, the entered password never matches the stored hash... What's the stored hash/salt used for users? The tblclients have: email and password tables, trying to get this working, the hash that's entered never, never matches the one in the DB even though I'm entering it correctly. Cheers, 0 Quote Link to comment Share on other sites More sharing options...
MrGeneral Posted June 28, 2023 Author Share Posted June 28, 2023 Forgot to add, I did try to use cc_encryption_hash as salt... both with bcrypt and sha1, didn't work. 0 Quote Link to comment Share on other sites More sharing options...
leemahoney3 Posted June 28, 2023 Share Posted June 28, 2023 1 hour ago, MrGeneral said: Hey there, I'm currently trying to build a frontend for WHMCS, instead of doing it via templates, as this doesn't allow exactly to change the look and feel, I'll just build a frontend, entirely separate to the WHMCS setup. So I'm trying to validate the login, the entered password never matches the stored hash... What's the stored hash/salt used for users? The tblclients have: email and password tables, trying to get this working, the hash that's entered never, never matches the one in the DB even though I'm entering it correctly. Cheers, It uses bcrypt, https://www.php.net/manual/en/function.password-get-info.php array(3) { ["algo"]=> string(2) "2y" ["algoName"]=> string(6) "bcrypt" ["options"]=> array(1) { ["cost"]=> int(10) } } you can use the password_verify function to verify the password. https://www.php.net/manual/en/function.password-verify.php 0 Quote Link to comment Share on other sites More sharing options...
MrGeneral Posted June 29, 2023 Author Share Posted June 29, 2023 15 hours ago, leemahoney3 said: It uses bcrypt, https://www.php.net/manual/en/function.password-get-info.php array(3) { ["algo"]=> string(2) "2y" ["algoName"]=> string(6) "bcrypt" ["options"]=> array(1) { ["cost"]=> int(10) } } you can use the password_verify function to verify the password. https://www.php.net/manual/en/function.password-verify.php I'll give this a try, thank you! 0 Quote Link to comment Share on other sites More sharing options...
MrGeneral Posted September 20, 2023 Author Share Posted September 20, 2023 On 6/28/2023 at 7:24 PM, leemahoney3 said: It uses bcrypt, https://www.php.net/manual/en/function.password-get-info.php array(3) { ["algo"]=> string(2) "2y" ["algoName"]=> string(6) "bcrypt" ["options"]=> array(1) { ["cost"]=> int(10) } } you can use the password_verify function to verify the password. https://www.php.net/manual/en/function.password-verify.php So sorry for the delay in visiting your solution. I didn't have time to check. [Wed Sep 20 15:45:30.008534 2023] [proxy_fcgi:error] [pid 20236:tid 140477797701376] [remote ***] AH01071: Got error 'PHP message: Stored password hash: ***PHP message: Hashed entered password: **PHP message: Password check failed for user: ***PHP message: Entered password:***', referer: https://*** It never matches, I must be doing something wrong. Any idea? My authenticate file is the following: <?php session_start(); $dbHost = "localhost"; $dbUser = "***"; $dbPassword = "***"; $dbName = "***"; $db = new mysqli($dbHost, $dbUser, $dbPassword, $dbName); if ($db->connect_error) { die("Connection failed: " . $db->connect_error); } if (!isset($_POST["email"]) || !isset($_POST["password"])) { // Redirect back to login with an error message $_SESSION['errorMessage'] = "Please provide both email and password!"; header("Location: login.php"); exit(); } $email = $db->real_escape_string($_POST["email"]); $password = $_POST["password"]; $query = $db->prepare("SELECT id, firstname, lastname, password FROM tblclients WHERE email = ?"); $query->bind_param("s", $email); $query->execute(); $result = $query->get_result(); if ($result->num_rows === 0) { // No user with this email address $_SESSION['errorMessage'] = "No user found with this email address!"; header("Location: login.php"); exit(); } $row = $result->fetch_assoc(); $storedHashedPassword = $row['password']; // Print the stored password hash and hashed entered password for debugging error_log("Stored password hash: $storedHashedPassword"); error_log("Hashed entered password: " . password_hash($password, PASSWORD_BCRYPT)); // Use password_verify to check if the provided password matches the stored bcrypt hash if (password_verify($password, $storedHashedPassword)) { // Password matches $_SESSION['clientName'] = $row['firstname'] . ' ' . $row['lastname']; $_SESSION['clientId'] = $row['id']; header("Location: welcome.php"); exit(); } else { // Log some additional information for debugging error_log("Password check failed for user: $email"); error_log("Entered password: $password"); // Redirect back to login with an error message $_SESSION['errorMessage'] = "Invalid login credentials!"; header("Location: login.php"); exit(); } ?> 0 Quote Link to comment Share on other sites More sharing options...
DennisHermannsen Posted September 21, 2023 Share Posted September 21, 2023 Could the ValidateLogin API function do the job for you? https://developers.whmcs.com/api-reference/validatelogin/ 0 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.