php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #14564 Trusted Connections Not Supported
Submitted: 2001-12-17 11:12 UTC Modified: 2016-10-15 23:06 UTC
Votes:15
Avg. Score:4.9 ± 0.2
Reproduced:15 of 15 (100.0%)
Same Version:5 (33.3%)
Same OS:6 (40.0%)
From: parkins dot graham at ppc-consulting dot co dot uk Assigned:
Status: Wont fix Package: MSSQL related
PHP Version: 4.1.0 OS: Windows NT 4/SQL Server 7
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2001-12-17 11:12 UTC] parkins dot graham at ppc-consulting dot co dot uk
I consider the inclusion of database usernames and passwords in scripts to be a security risk.

In a Windows environment it is possible to access SQL Server via a trusted connection.  This uses the context of the current logged in user.

Furthermore it is possible to configure IIS and presumably Apache to use a particular user account to service requests.

It is therefore possible (for example under ASP) to open a database connection without specifying a username or password in the script because the context of the current user account has permission to access the SQL Server.

I would be happy if this functionality could be implmented in the MS SQL Server extension.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-03-12 04:58 UTC] g dot sollis at syntegra dot nl
This would be great, as i too think it is a potential security risk to have usernames and passwords in the source-code. But instead of keeping it in MS-SQL functions i suggest it is also available for ODBC connections.

Just another small suggestion i thought of; maybe it's a good idea to implement a second (form of) 
[dbtype]_connect() function, which will accept something like an ODBC Connection String. This way it would be possible to either use the following:
1. DSN connection with specified user & password
2. DSN connection with trusted connection to db-server
3. DSN-less connection with connection string

The only way it is available now is by using the COM functionality. Which is OK if you want to go that way, but that does mean rewriting a lot of code if there is no db-abstraction layer in use.
 [2011-01-01 00:19 UTC] jani@php.net
-Package: Feature/Change Request +Package: MSSQL related
 [2016-10-15 23:06 UTC] kalle@php.net
-Status: Open +Status: Wont fix
 [2016-10-15 23:06 UTC] kalle@php.net
With MSSQL being removed from PHP as of PHP7.0, and ext/mssql not having a maintainer, I'm gonna close this report as a Won't fix, until maybe one day it will find a new maintainer.

Alternatively you can use sqlsrv from Microsoft if you are on Windows, or pdo_dblib if you are on Unix.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Tue Dec 01 12:02:32 2020 UTC