MSSQL & Authentication Hook Problem

  • After careful review of the code, I found that currently when using a Microsoft SQL Server, the exlog_hook_filter_authenticate_hash will never run because the authentication method is hardcoded in to the MSSQL if statement. If the $dbtype is ‘mssql’ then it runs exlog_validate_password() without checking to see if the filter is set. I have had to modify my local copy to include the filter check inside of the if statement to ensure that when I’m using a custom hashing function with a mssql database it will allow users to authenticate properly.

    Current Code:

    		if ($dbType == "mssql") {
			$query_string =
			'SELECT *' .
			' FROM ' . esc_sql($db_data["dbstructure_table"]) .
			' WHERE ' . esc_sql($db_data["dbstructure_username"]) . '=\'' . esc_sql($username) . '\'';
			
			$stmt = sqlsrv_query($db_data["db_instance"], $query_string);
			if (sqlsrv_has_rows($stmt) != true) {
				return array("valid" => false);
			}
			
			while( $userData = sqlsrv_fetch_array($stmt)) {
				$user_specific_salt = false;

				if (exlog_get_option('external_login_option_db_salting_method') == 'all') {
					$user_specific_salt = $userData[$db_data["dbstructure_salt"]];
				}

				$valid_credentials = exlog_validate_password($password, $userData[$db_data["dbstructure_password"]], $user_specific_salt);
				
				if ($valid_credentials) {
					$wp_user_data = exlog_build_wp_user_data($db_data, $userData);
					$wp_user_data["exlog_authenticated"] = true;
					return $wp_user_data;
				}
			}
			return array("valid" => false);
		}

    My quick and dirty solution:

    if ($dbType == "mssql") {
			$query_string =
			'SELECT *' .
			' FROM ' . esc_sql($db_data["dbstructure_table"]) .
			' WHERE ' . esc_sql($db_data["dbstructure_username"]) . '=\'' . esc_sql($username) . '\'';
			
			$stmt = sqlsrv_query($db_data["db_instance"], $query_string);
			if (sqlsrv_has_rows($stmt) != true) {
				return array("valid" => false);
			}
			
			while( $userData = sqlsrv_fetch_array($stmt)) {
				$user_specific_salt = false;

				if (exlog_get_option('external_login_option_db_salting_method') == 'all') {
					$user_specific_salt = $userData[$db_data["dbstructure_salt"]];
				}

				if ($userData) {
					$user_specific_salt = false;
		
					if (exlog_get_option('external_login_option_db_salting_method') == 'all') {
						$user_specific_salt =  $userData[$db_data["dbstructure_salt"]];
					}
		
					$hashFromDatabase = $userData[$db_data["dbstructure_password"]];
					if (has_filter(EXLOG_HOOK_FILTER_AUTHENTICATE_HASH)) {
						$valid_credentials = apply_filters(
							EXLOG_HOOK_FILTER_AUTHENTICATE_HASH,
							$password,
							$hashFromDatabase,
							$username,
							$userData
						);
					} else {
						$valid_credentials = exlog_validate_password($password, $hashFromDatabase, $user_specific_salt);
					}
		
					if ($valid_credentials) {
						$wp_user_data = exlog_build_wp_user_data($db_data, $userData);
						$wp_user_data["exlog_authenticated"] = true;
						return $wp_user_data;
					} else {
						$user_data["exlog_authenticated"] = false;
						return $userData;
					}
				} else {
					return false;
				}

				$valid_credentials = exlog_validate_password($password, $userData[$db_data["dbstructure_password"]], $user_specific_salt);
				
				if ($valid_credentials) {
					$wp_user_data = exlog_build_wp_user_data($db_data, $userData);
					$wp_user_data["exlog_authenticated"] = true;
					return $wp_user_data;
				}
			}
			return array("valid" => false);
		}

    I would love to see a version of the plugin updated to check for the exlog_hook_filter_authenticate_hash filter when using Microsoft SQL Server.

    Thanks for the great plugin,
    Brad

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author tbenyon

    (@tbenyon)

    Hey Brad,

    GREAT SPOT!

    Apologies for my mistake. Really appreciate you taking the time to diagnose the problem yourself. ??

    I’ll get the fix in and deployed within a week for you, I’m hoping it’ll be this weekend but just can’t promise that.

    Will keep you posted with updates and if you haven’t heard from me I won’t be offended if you chase.

    Thanks again,

    Tom

    Hi Brad,

    I have a client that has an existing user database hosted on their MS Azure Cloud server. I’m building them a WordPress site that will need to query that external DB to check for login credentials and give access to content that is behind a login on the WP site. My understanding is that as of right now this plugin doesn’t support Azure Cloud connections. Were you able to get a workaround? If so, could you please reach out to me: [email protected]

    Much appreciated,
    Alex

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘MSSQL & Authentication Hook Problem’ is closed to new replies.