By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
455,364 Members | 1,341 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 455,364 IT Pros & Developers. It's quick & easy.

Unable to disconnect?

P: 13
I've dealt with issues with not being able to connect to the database through PHP and know how to correct most of them fairly easily, however, I've got a really odd situation here. I'm running PHP 5.2.5, Apache 2.2.8, and SQL Server 2000 under Windows XP (don't laugh, I was given this setup and told to use it). The problem I have is that I don't have to issue a mssql_connect statement in order to run a query on the database. This poses a problem if I'm not very careful about user input and that input gets subsequently displayed anywhere. For example, this actually pulls data from the database:
[PHP]<?php
$query = mssql_query("SELECT * FROM INFORMATION_SCHEMA.TABLES");
while($row = mssql_fetch_array($query)){ print_r($row); }
?>[/PHP]
I've checked everything I know to check. Here are the highlights.

from php.ini:
disable_functions = mssql_pconnect,mysql_pconnect
mssql.allow_persistent = Off
mssql.secure_connection = Off

SQL Server authentification is set to "SQL Server and Windows" and the startup service account is not the system account nor the user logged in at any point. (didn't know if that was an issue or not)

I've denied all access to the database files through NTFS permissions. I can't even browse to them when logged in at this point.

I've rebooted the server several times, and yet somehow I'm still able to query the database without ever connecting & authenticating.

I'm a bit lost at the moment. Does anybody have any ideas as to what else I might look at?

Thanks in advance.
Mar 26 '08 #1
Share this Question
Share on Google+
1 Reply


code green
Expert 100+
P: 1,726
The problem I have is that I don't have to issue a mssql_connect statement in order to run a query on the database
That is correct, but that does not mean you are not allowed to issue a connect statement
This is an extract from php manual
mssql_query() sends a query to the currently active database on the server that's associated with the specified link identifier. If the link identifier isn't specified, the last opened link is assumed. If no link is open, the function tries to establish a link as if mssql_connect() was called, and use it.
Simply specify the link identifier returned from mssql_connect() in mssql_query() [PHP]$link = mssql_connect() ;
mssql_query($query,$link);[/PHP]
This poses a problem if I'm not very careful about user input and that input gets subsequently displayed anywhere
Cannot understand how this situation could arise but you could additionally check the resource link is set [PHP]if(isset$link))
mssql_query($query,$link);[/PHP]
Mar 28 '08 #2

Post your reply

Sign in to post your reply or Sign up for a free account.