db_connect

General discussion on Zend Server for IBM System i
Post Reply
mare8481
Posts: 4
Joined: Sun Aug 10, 2014 2:30 pm

db_connect

Post by mare8481 » Mon Aug 11, 2014 1:55 pm

I don't know if I am going mad or....

I have a db2_connect statement that I am running to authenticate a user before submitting queries. I have noticed that if I

1 Submit a valid user and valid password, the connection is made as I would expect
2 Submit a valid user and an invalid password the connection is not made, error returned as I would expect
3 Submit and non existent username and blank password the connection is made
4 Submit and non existent username and a password the connection is not made and error returned.

So am I going mad? Is this default behavior or have a got a configuration issue...

Code: Select all

function login($username1,$password1){
   
    $host = "A62RS";
    $options = array('i5_naming' => DB2_I5_NAMING_OFF, 'autocommit' => DB2_AUTOCOMMIT_ON,'i5_libl' => 'NMBUKPRD1 AMAMOD AMAMODDEV AMFLIBA'); 
    setlocale(LC_MONETARY, 'en_GB');     setlocale(LC_MONETARY, 'en_GB');
    $_SESSION[ 'ServerIP' ] = $host;
    
     $conn = db2_pconnect ($host,$username1, $password1, $options);
     
    if ( !$conn)  
       {
        echo '<table class = "loginerrormsg">';
        echo '<tr><td>Connection to database failed: '.db2_conn_errormsg().'</td>'; 
        echo'<form action="login.php" method="post">';           
        echo '<tr><td colspan="1" align="center">';
        echo '<input type="submit" value="Retry"></td></tr>';
        exit();
                }
        else{
        echo '<table class = "loginerrormsg">';
        echo '<tr><td>Connection to database succeeded: '.db2_conn_errormsg().'</td>'; 
        echo'<form action="login.php" method="post">';           
        echo '<tr><td colspan="1" align="center">';            
        }
    $rc = db2_pclose($conn);
}

aseiden
Posts: 875
Joined: Thu Apr 09, 2009 5:45 pm

Re: db_connect

Post by aseiden » Wed Aug 13, 2014 9:24 pm

You're using db2_pconnect(). Remove the "p" and use regular db2_connect() till you get the issues resolved. Then put back the "p" when ready for production again.

Alan Seiden

P.S. For anyone hungry for DB2/PHP/IBM i knowledge, I'll be presenting a new half-day DB2/PHP/IBM i pre-conference tutorial on Oct. 27, 2014, at http://zendcon.com. A chance to get answers to all your DB2 questions. Tony Cairns from IBM will be co-presenter.

mare8481
Posts: 4
Joined: Sun Aug 10, 2014 2:30 pm

Re: db_connect

Post by mare8481 » Tue Sep 23, 2014 4:32 pm

Hi,

Many thanks for your reply, I changed to db2_connect, but this makes no difference at all.

Because my internal apps were not very sensitive we decided to let things go, but unfortunately the users have realized they can authenticate without a password.

I found this article on the support site titled:
IBM i DB2 allows a connection with no user ID or password - How to change this

Looking at our release level, I would suggest we are running v5r4, so I don't think the above applies. looking at our ibm_db2.ini file shows only one extension.

Strangely this behavior only came about after we migrated to a new iseries with OS 7r1.

darl6549
Posts: 1
Joined: Thu Sep 25, 2014 6:49 am

Re: db_connect

Post by darl6549 » Thu Sep 25, 2014 6:51 am

You will need to purchase a license if you are using the i5_toolkit functions. Another option is to look at the IBM Free XMLSERVICE toolkit and recoding all of the calls to meet the requirements. If you need licensing in North America you can contact us for pricing, otherwise contact Aura using the link provided.

_______________________
darla

mare8481
Posts: 4
Joined: Sun Aug 10, 2014 2:30 pm

Re: db_connect

Post by mare8481 » Thu Sep 25, 2014 3:57 pm

Erm, thanks...

I'm actually using db2_connect, and as for location I'm in the UK.

User avatar
rodflohr
Zend Global Support
Posts: 56
Joined: Mon Dec 29, 2008 5:28 pm

Re: db_connect

Post by rodflohr » Fri Sep 26, 2014 6:31 pm

Please see this article:

https://support.zend.com/hc/en-us/articles/203297676

As the article states:

"Prior to Zend Server 7.0.0, this is the designed behavior of db2_connect(). If no user or password is entered, the connection is for the Apache user QTMHHTTP. This could provide a performance boost by not using the QSQSRVR prestart job to process the DB2 queries. Security can be maintained by setting authorities for user QTMHHTTP on DB2 tables. Typically QTMHHTTP does not have access to anything not available to *PUBLIC, unless specifically granted. Access can be further restricted by explicitly excluding QTMHHTTP from any tables not appropriate for viewing via the web applications.

Starting with the Zend Server for IBM i 7.0.0 distribution, there is a new configuration directive for the ibm_db2 extension that controls whether db2_connect() will work with a blank user and password. By default, the ibm_db2.i5_blank_userid directive is set on to allow the connection. This maintains backward compatibility with older applications that may rely on this behavior."

For customers with Zend Server 7, there is a flag that can be set that will prevent this, and the above mentioned article tells how. For customers with prior versions, if you are accepting input from the user that is supposed to contain a user ID and password, your PHP script should verify that these values are not blank before using them to make the connection. More generally, you should filter every value entered by an end user to make sure it is valid. This is basic security, and should never be omitted.

User avatar
rodflohr
Zend Global Support
Posts: 56
Joined: Mon Dec 29, 2008 5:28 pm

Re: db_connect

Post by rodflohr » Fri Sep 26, 2014 8:11 pm

There is also an older issue where the user ID is entered, but the password is not:

https://support.zend.com/hc/en-us/articles/203733853

This article should answer the original question.

mare8481
Posts: 4
Joined: Sun Aug 10, 2014 2:30 pm

Re: db_connect

Post by mare8481 » Mon Oct 06, 2014 4:08 pm

Thankyou for your posts much appreciated. I am now validating the password and have made the change as defined in 203733853.

Post Reply