php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #33097 OCI_Password_Change fails to change password
Submitted: 2005-05-21 22:20 UTC Modified: 2005-05-24 00:10 UTC
From: dboeke at eesus dot jnj dot com Assigned:
Status: Not a bug Package: OCI8 related
PHP Version: 5.0.4 OS: Win2k Server ver 5.0.2195 SP4
Private report: No CVE-ID: None
View Developer Edit
 [2005-05-21 22:20 UTC] dboeke at eesus dot jnj dot com 
Description:
------------
I am using the binary download of php 5.04 for win32 platforms.  It is running as a CGI under Apache/2.0.52. The only extension that I have loaded is php_oci8.dll [Revision: 1.257.2.6]

The Windows 2000 Server that PHP is running on has the Oracle9i 9.2.0.1.0 Server and Client installed.

The Oracle server that we are connecting to is running Oracle 8i Enterprise 8.1.7.2.0 on Unix.  This server has complexity rules set (minimum password length of 6 and passwords must have 3 levels of complexity: letters, numbers and special chars) 

We created a webpage for users to be able to change their oracle password.  It has worked for almost all users.  However, we have a user that had a password:  Ddnn!$52

He was unable to change the password, even though he could logon to oracle through SqlPlus with the password. The OCI_Change_Password function returned the oracle error:  ORA-28008: invalid old password.  

This means that the PHP script successfully authenticated him using $conn=oci_new_connect($userID, $oldPwd, $oraSid); function but the oci_password_change($conn, $userID, $oldPwd, $newPwd); using the same variable values was unable to properly authenticate to oracle?

Also, I discovered while I was testing, that when I changed my password (using the webform) to Ddnn!$52, that I could no longer log into oracle via any means.  It seems like the value of the old/new password is possibly being changed by the oci_password_change function.


Reproduce code:
---------------
<?php
if (isset($_POST['ibtnSubmit'])) {
	$oraSid = stripslashes($_POST['itxtOraSID']);
	$userID = stripslashes($_POST['itxtUserID']);
	$oldPwd = stripslashes($_POST['ipwdOld']);
	$newPwd = stripslashes($_POST['ipwdNew']);
	$conn = @oci_new_connect($userID, $oldPwd, $oraSid);
	if ($conn) {
		$result = @oci_password_change($conn, $userID, $oldPwd, $newPwd);
		$e = ($result) ? array('message'=>'Success') : oci_error($conn);
		@oci_close($conn);
	} else { $e = oci_error(); }
} else { $e = array('message'=>'Please Change Your Password'); }
echo	"<HTML>\n<HEAD>\n\t<TITLE>OCI Change Pwd Test</TITLE>\n</HEAD>\n<BODY>\n" .
		"<FORM METHOD='post'>\n<B>" . $e['message'] . "</B><HR>\n" .
		"Oracle Instance:&nbsp;<INPUT TYPE='text' NAME='itxtOraSID'><BR>\n" .
		"User Name:&nbsp;<INPUT TYPE='text' NAME='itxtUserID'><BR>\n" .
		"Current Password:&nbsp;<INPUT TYPE='text' NAME='ipwdOld'><BR>\n" .
		"New Password:&nbsp;<INPUT TYPE='text' NAME='ipwdNew'><BR>\n" .
		"<INPUT TYPE='submit' name='ibtnSubmit' VALUE='Change Password'>\n" .
		"</FORM>\n</TABLE>\n</BODY>\n</HTML>\n";
?>

Expected result:
----------------
Password changed with no error if user submitted the correct password information.

Actual result:
--------------
ORA-28008: invalid old password

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-05-21 23:10 UTC] tony2001@php.net 
And what happens if you try to change the password using sqlplus (but not with "alter user" command) ?
 [2005-05-21 23:11 UTC] tony2001@php.net 
And please try to use oci_password_change() with your locally installed Oracle.
 [2005-05-23 19:12 UTC] dboeke at eesus dot jnj dot com 
I can use the Password command in SQL Plus to successfully change the password.  Also confirmed that other passwords using similar structure fail, ie:

Zzxx!$123
Aabb!$456

I haven't been able to check the local 9i environment yet, cause I don't have a user account, but I have requested one, and will update when I can.
 [2005-05-23 20:19 UTC] tony2001@php.net 
And what if you remove all this stuff not related to the OCI itself (like strpslashes, forms etc.) ?
 [2005-05-23 21:03 UTC] dboeke at eesus dot jnj dot com 
<?php
$oraSid = 'PROD1';
$userID = 'UserNm';
$oldPwd = 'Qqww!$123';
$newPwd = 'Zzxx!$456';

$conn = @oci_new_connect($userID, $oldPwd, $oraSid);
	
if ($conn) {
	$result = @oci_password_change($conn, $userID, $oldPwd, $newPwd);
	$e = ($result) ? array('message'=>'Success') : oci_error($conn);
	@oci_close($conn);
} else { 
	$e = oci_error(); 
}

echo $e['message'];
?>

Same Error (ORA-28008: invalid old password ) with the above code.
 [2005-05-24 00:10 UTC] tony2001@php.net 
Yes, I was able to reproduce it once, but after some time spent on debugging/dropping and creating new users I can't reproduce it anymore.
Anyway, this is not a PHP bug, because PHP just calls OCIPasswordChange() function and if it fails randomly there is nothing we can do. 
Try to search metalink database and bug Oracle people.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Mon Jul 21 20:00:03 2025 UTC