Password Encryption

[trag]

Hey everybody.

 

I'm working on a script to help integrate my WHMCS with my Joomla install.

I already themed my WHMCS properly so that area is all well.

 

The missing key in my application now is checking the user's password.

 

Can anyone tell me what method is used to encrypt passwords which are stored in the WHMCS database (tblclients)? I know it is not MD5.

 

For example:

demo2008 = rSmQp1XMyLmS5H46d7/opnwxeU3UCoGYqIBiiQ==

 

I believe this is the last piece to my puzzle.

 

Thanks for reading!

[openmind]

No idea what the encryption method is but could you not just use the API?

 

http://wiki.whmcs.com/API:Decrypt_Password

[trag]

I guess I don't have much of a choice whether to use the API or not.

 

This is the code I've modified from the WHMCS Wiki.

Domain/User/Pass/HashedPass changed for security, obviously.

 

$url = "http://www.MYDOMAIN.com/order/includes/api.php"; # URL to WHMCS API file

$username = "MY_WHMCS_ADMIN_USER"; # Admin username goes here
$password = "MY_WHMCS_ADMIN_PASS"; # Admin password goes here
$postfields["username"] = $username;
$postfields["password"] = md5($password);

$postfields["action"] = "encryptpassword";
$postfields["password2"] = "demo2008";

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 100);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postfields);
$data = curl_exec($ch);
curl_close($ch);

$data = explode(";",$data);
foreach ($data AS $temp) {
 $temp = explode("=",$temp);
 $results[$temp[0]] = $temp[1];
}

if ($results["result"]=="success") {
 # Result was OK!
 print_r($results);
} else {
 # An error occured
 echo "The following error occured: ".$results["message"];
}

 

The page will spit out the result:

Array ( [result] => success [password] => MY_HASHED_PASSWORD )

 

Will I have to connect as an Admin every time I run this script?

Not a *huge* problem, but anyways...

When I TRY to run the API script as the user logging in, or if I try to just get the password (say for example the pass is posted data), it gives me Authentication Error.

 

What I want to happen is this:

1. User attempts to login.

2. On fail, report error.

3. On succeed, set MY session variable (since I can't play with ionCube encrypted files If I could just see how WHMCS works with sessions, this entire workaround would be irrelevant. )

4. Once they have been authenticated by MY means, THEN I can post the user's login/pass to the REAL dologin.php in whmcs.

5. Result: They have access to their WHMCS Control panel on my site (Joomla!), and on the 'integrated' WHMCS client area.

 

Forgive my ignorance to the API, this is week 1 for playing with WHMCS.

 

Thanks for your time.