db2_connect() may allow blank password with user entered

Follow

Issue

On older versions of Zend Server, it may be possible to use a blank password when the user is entered in the db2_connect() or db2_pconnect() function. The connection statement would look similar to this:

$connect = db2_connect("*LOCAL", "PHPUSER", "");

Note, if both the user and password are left blank, that is a different issue.  Please see this article:

IBM i DB2 allows a connection with no user ID or password - How to change this

Environment

Zend Server for IBM i version 5 running on any supported version of IBM i.

Resolution

This can occur if there is a version of the libdb400.a archive that is set up to allow this for debugging purposes.  This version of libdb400.a was inadvertently distributed with some versions of Zend Server 5.  Here is how to check for this and correct it.

From the 5250 command line, as QSECOFR or a *SECOFR class user:

call qp2term

This command brings you into the PASE shell.

In the PASE shell:

ls /usr/local/zendsvr/lib/libdb400.a

If this message appears:

ls: 0653-341 The file /usr/local/zendsvr/lib/libdb400.a does not exist.

Then this problem is not present.  However, if there is a listing:

/usr/local/zendsvr/lib/libdb400.a

Then the file is there and should be renamed.  To rename the file, please do this command in the PASE shell:

mv /usr/local/zendsvr/lib/libdb400.a  /usr/local/zendsvr/lib/libdb400.a.bak

Verify that libdb400.a no longer exists, and libdb400.a.bak does exist:

ls /usr/local/zendsvr/lib/libdb400.a
ls /usr/local/zendsvr/lib/libdb400.a.bak

After renaming the file, please restart Apache for the change to take effect.  Please schedule the restart for a time when it will be appropriate to have your web site unavailable for a few minutes.

Here is an example of the entire PASE shell session:

> ls /usr/local/zendsvr/lib/libdb400.a 
/usr/local/zendsvr/lib/libdb400.a
$
> mv /usr/local/zendsvr/lib/libdb400.a /usr/local/zendsvr/lib/libdb400.a.bak
$
> ls /usr/local/zendsvr/lib/libdb400.a
ls: 0653-341 The file /usr/local/zendsvr/lib/libdb400.a does not exist.
$
> ls /usr/local/zendsvr/lib/libdb400.a.bak
/usr/local/zendsvr/lib/libdb400.a.bak
$

 

Have more questions? Submit a request

Comments

Powered by Zendesk