Support » Plugin: External Login » MSSQL & Authentication Hook Problem

  • After careful review of the code, I found that currently when using a Microsoft SQL Server, the exlog_hook_filter_authenticate_hash will never run because the authentication method is hardcoded in to the MSSQL if statement. If the $dbtype is ‘mssql’ then it runs exlog_validate_password() without checking to see if the filter is set. I have had to modify my local copy to include the filter check inside of the if statement to ensure that when I’m using a custom hashing function with a mssql database it will allow users to authenticate properly.

    Current Code:

    		if ($dbType == "mssql") {
    			$query_string =
    			'SELECT *' .
    			' FROM ' . esc_sql($db_data["dbstructure_table"]) .
    			' WHERE ' . esc_sql($db_data["dbstructure_username"]) . '=\'' . esc_sql($username) . '\'';
    			
    			$stmt = sqlsrv_query($db_data["db_instance"], $query_string);
    			if (sqlsrv_has_rows($stmt) != true) {
    				return array("valid" => false);
    			}
    			
    			while( $userData = sqlsrv_fetch_array($stmt)) {
    				$user_specific_salt = false;
    
    				if (exlog_get_option('external_login_option_db_salting_method') == 'all') {
    					$user_specific_salt = $userData[$db_data["dbstructure_salt"]];
    				}
    
    				$valid_credentials = exlog_validate_password($password, $userData[$db_data["dbstructure_password"]], $user_specific_salt);
    				
    				if ($valid_credentials) {
    					$wp_user_data = exlog_build_wp_user_data($db_data, $userData);
    					$wp_user_data["exlog_authenticated"] = true;
    					return $wp_user_data;
    				}
    			}
    			return array("valid" => false);
    		}

    My quick and dirty solution:

    if ($dbType == "mssql") {
    			$query_string =
    			'SELECT *' .
    			' FROM ' . esc_sql($db_data["dbstructure_table"]) .
    			' WHERE ' . esc_sql($db_data["dbstructure_username"]) . '=\'' . esc_sql($username) . '\'';
    			
    			$stmt = sqlsrv_query($db_data["db_instance"], $query_string);
    			if (sqlsrv_has_rows($stmt) != true) {
    				return array("valid" => false);
    			}
    			
    			while( $userData = sqlsrv_fetch_array($stmt)) {
    				$user_specific_salt = false;
    
    				if (exlog_get_option('external_login_option_db_salting_method') == 'all') {
    					$user_specific_salt = $userData[$db_data["dbstructure_salt"]];
    				}
    
    				if ($userData) {
    					$user_specific_salt = false;
    		
    					if (exlog_get_option('external_login_option_db_salting_method') == 'all') {
    						$user_specific_salt =  $userData[$db_data["dbstructure_salt"]];
    					}
    		
    					$hashFromDatabase = $userData[$db_data["dbstructure_password"]];
    					if (has_filter(EXLOG_HOOK_FILTER_AUTHENTICATE_HASH)) {
    						$valid_credentials = apply_filters(
    							EXLOG_HOOK_FILTER_AUTHENTICATE_HASH,
    							$password,
    							$hashFromDatabase,
    							$username,
    							$userData
    						);
    					} else {
    						$valid_credentials = exlog_validate_password($password, $hashFromDatabase, $user_specific_salt);
    					}
    		
    					if ($valid_credentials) {
    						$wp_user_data = exlog_build_wp_user_data($db_data, $userData);
    						$wp_user_data["exlog_authenticated"] = true;
    						return $wp_user_data;
    					} else {
    						$user_data["exlog_authenticated"] = false;
    						return $userData;
    					}
    				} else {
    					return false;
    				}
    
    				$valid_credentials = exlog_validate_password($password, $userData[$db_data["dbstructure_password"]], $user_specific_salt);
    				
    				if ($valid_credentials) {
    					$wp_user_data = exlog_build_wp_user_data($db_data, $userData);
    					$wp_user_data["exlog_authenticated"] = true;
    					return $wp_user_data;
    				}
    			}
    			return array("valid" => false);
    		}

    I would love to see a version of the plugin updated to check for the exlog_hook_filter_authenticate_hash filter when using Microsoft SQL Server.

    Thanks for the great plugin,
    Brad

Viewing 1 replies (of 1 total)
  • Plugin Author tbenyon

    (@tbenyon)

    Hey Brad,

    GREAT SPOT!

    Apologies for my mistake. Really appreciate you taking the time to diagnose the problem yourself. 🙂

    I’ll get the fix in and deployed within a week for you, I’m hoping it’ll be this weekend but just can’t promise that.

    Will keep you posted with updates and if you haven’t heard from me I won’t be offended if you chase.

    Thanks again,

    Tom

Viewing 1 replies (of 1 total)
  • You must be logged in to reply to this topic.