php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #33365 logon fails when password expired, ORA-28001
Submitted: 2005-06-16 17:32 UTC Modified: 2005-09-08 11:48 UTC
From: uherj at avx dot cz Assigned:
Status: Closed Package: OCI8 related
PHP Version: 5.*, 4.* (2005-06-17) OS: *
Private report: No CVE-ID: None
 [2005-06-16 17:32 UTC] uherj at avx dot cz
Description:
------------
OCIlogon do not returns connection resource for account with expired password.

ocierror() contain:
    [code] => 28001
    [message] => ORA-28001: the password has expired

Is unable to call OCIpasswordchange without existing resource. (return same error)

(similar problem in Bug #31623 - not fully resolved)


Reproduce code:
---------------
1.create new user account with expired password
2.try:

$user="newaccount";
$password="password";
$dbstring="(DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)";
$dbstring.="(HOST = $server)(PORT = 1521)))";
$dbstring.="(CONNECT_DATA = (SID = $sid)) )";
$con=ocilogon($user,$password,$dbstring);
$conerr=ocierror(); 
print_r($conerr);
echo "resource connection:".$con; 



Expected result:
----------------
there could be error retrieved by ocierror() (information), OCIlogon() should return resource.



Actual result:
--------------
no resource returned by OCIlogon()

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-06-16 18:04 UTC] sniper@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5-win32-latest.zip


 [2005-06-17 08:53 UTC] uherj at avx dot cz
Our production environment use PHP 4.3.xx.
 [2005-06-17 11:03 UTC] tony2001@php.net
You don't have to update PHP installed to try newer version.

 [2005-06-17 11:43 UTC] uherj at avx dot cz
I downloaded latest PHP5 and tried it under this one. This bug shows in PHP5 too.
 [2005-06-17 14:32 UTC] tony2001@php.net
Full stop.
You're trying to connect with an *expired* login/password. Why do you expect it to work? 
Bug #31623 reports about quite different problem - the password it still valid, but will expire in next N days, that's why it's allowed to connect.
So I don't see any reason to call it "bug", because the reason why it refuses to connect is perfectly valid to me.
 [2005-06-17 15:18 UTC] uherj at avx dot cz
I need connect to change password (using OCIpasswordchange). User is not locked or droped, it is still valid user. Creating new users with expired password is one of standard security  procedure.
Same situation hapens, when expired grace period - user MUST change password before doing anything else. It ensure periodical change of passwords.
 [2005-06-17 21:01 UTC] tony2001@php.net
What is the difference between usual users and users with expired passwords? If the password has expired, it should be changed by an administrator. In the other case there is no sense in "expiring" password, because the user will be able to login without any problems (and issue queries, drop tables/databases etc.).
 [2005-06-18 21:32 UTC] uherj at avx dot cz
-normal user CAN change password.
-user with expired password MUST change password (before issue queries, drop tables/databases etc.). Standard db applications (PL/SQL developer, toad..) allow to users change expired password. Why is it impossible using PHP?
-changing passwords by administrator is used for forgotten passwords or locked accounts.
-could you imagine an admistrator, what every second month change expired password for hundred accounts? (dear Sorbanes-Oxley ).

If you think this is not useful in PHP, please close thise bug. This all look as a discussion forum than the bug description.
 [2005-06-18 21:56 UTC] tony2001@php.net
>-normal user CAN change password.
and?

>-user with expired password MUST change password (before issue queries, drop tables/databases etc.). Standard db applications (PL/SQL developer, toad..) allow to users change expired password. Why is it impossible
using PHP?

Because PHP is not a "standard application" and can't throw up a window with a warning that he/she needs to change the password.

I don't see any point in allowing users with expired password to connect to DB (and to work as normal users).
 [2005-09-08 11:48 UTC] tony2001@php.net
The bug has been fixed in OCI8 v.1.1, which is available in CVS HEAD and PECL (use `pear install oci8-beta` to install it).
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Fri Jul 01 23:05:45 2022 UTC