php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #37560 MySQLi connection is not cleaned up properly
Submitted: 2006-05-23 11:42 UTC Modified: 2006-05-31 07:27 UTC
Votes:4
Avg. Score:4.8 ± 0.4
Reproduced:4 of 4 (100.0%)
Same Version:4 (100.0%)
Same OS:1 (25.0%)
From: tsr2600 at gmail dot com Assigned: georg (profile)
Status: Closed Package: MySQLi related
PHP Version: 5.1.4 OS: FreeBSD 6.1
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2006-05-23 11:42 UTC] tsr2600 at gmail dot com 
Description:
------------
When a MySQLi resource is created, a fatal error or exception (possibly others) will result in the script terminating but MySQL's SHOW PROCESSLIST; will report a "Reading from net" state indefinitely for as many connections as were created before script termination.  These connections will be accumulated until MySQL fails with too many connections.

This only occurs when PHP is running as an Apache module, it does not occur when PHP is running from the command line.  Also, this does not occur with the MySQL PHP functions, only MySQLi.

I have tested this on:

FreeBSD 6.1, PHP 5.1.4, Apache 2.0.58, MySQL 4.0.19
Gentoo, PHP 5.1.4, Apache 2.2.0, MySQL 4.0.19

Reproduce code:
---------------
<?php

$dbh = mysqli_connect($any, $valid, $params, $work);

some_undefined_function_resulting_in_error();

?>

Expected result:
----------------
A fatal error, telling me that I made a call to an undefined function.  I expect no residual MySQLi connections.

Actual result:
--------------
A fatal error, telling me that I made a call to an undefined function.  However, I still have a residual MySQLi connection, as reported by MySQL's SHOW PROCESSLIST;

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-05-26 02:08 UTC] soussey at network54 dot com 
I can confirm this. It also happens under FastCGI. If a page can be found that produces an error, an attacker can use this repeatedly to shut down an entire site. The attack need only be a person and a browser and need not to continue in order to DOS and bring down a site.
 [2006-05-26 02:11 UTC] sroussey at network54 dot com 
I should add, that I could not confirm this with Exceptions, only fatal errors.
 [2006-05-30 13:26 UTC] dominics at gmail dot com 
I can confirm that this also occurs under Windows XP, and when using the corresponding OO version of the code:

<?php

$something = new mysqli(DB_HOST,DB_USERNAME,DB_PASSWORD,DB_NAME);
diediediedie(); //Fatal error

?>
 [2006-05-30 13:30 UTC] mike@php.net 
Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.2-win32-latest.zip
 [2006-05-31 07:27 UTC] mike@php.net 
Fix for bug #36949 fixed this one too.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 19 08:01:28 2024 UTC