dionysius
commented
8 years ago Thank you for the report!
Hint: use prepared statements (even you should be able to assume the Session is safe, but just do it always).
Meaning instead of: $user = get_query_val('tbladmins', 'username', "id = ".$_SESSION['adminid']);
do: $user = get_query_val('tblclients', 'email', array("id" => $_SESSION['uid']));
I have set correction content in Authenticator App, First Line Company and bottom of code your User name
$user = get_query_val('tblclients', 'email', "id = ".$_SESSION['uid']); $company = get_query_val('tblconfiguration', 'value', "setting = 'CompanyName'"); QRcode::png('otpauth://totp/' . $user . '?issuer=' . urlencode($company) . '&secret=' . $_GET['secret']);$user = get_query_val('tbladmins', 'username', "id = ".$_SESSION['adminid']); $company = get_query_val('tblconfiguration', 'value', "setting = 'CompanyName'"); QRcode::png('otpauth://totp/' . $user . '?issuer=' . urlencode($company) . '&secret=' . $_GET['secret']);Full download project correction: https://github.com/aminmahdi/whmcs-oath-addon