ID: 33097
Updated by: [EMAIL PROTECTED]
Reported By: dboeke at eesus dot jnj dot com
Status: Feedback
Bug Type: OCI8 related
Operating System: Win2k Server ver 5.0.2195 SP4
PHP Version: 5.0.4
New Comment:
And please try to use oci_password_change() with your locally installed
Oracle.
Previous Comments:
------------------------------------------------------------------------
[2005-05-21 23:10:13] [EMAIL PROTECTED]
And what happens if you try to change the password using sqlplus (but
not with "alter user" command) ?
------------------------------------------------------------------------
[2005-05-21 22:20:56] dboeke at eesus dot jnj dot com
Description:
------------
I am using the binary download of php 5.04 for win32 platforms. It is
running as a CGI under Apache/2.0.52. The only extension that I have
loaded is php_oci8.dll [Revision: 1.257.2.6]
The Windows 2000 Server that PHP is running on has the Oracle9i
9.2.0.1.0 Server and Client installed.
The Oracle server that we are connecting to is running Oracle 8i
Enterprise 8.1.7.2.0 on Unix. This server has complexity rules set
(minimum password length of 6 and passwords must have 3 levels of
complexity: letters, numbers and special chars)
We created a webpage for users to be able to change their oracle
password. It has worked for almost all users. However, we have a user
that had a password: Ddnn!$52
He was unable to change the password, even though he could logon to
oracle through SqlPlus with the password. The OCI_Change_Password
function returned the oracle error: ORA-28008: invalid old password.
This means that the PHP script successfully authenticated him using
$conn=oci_new_connect($userID, $oldPwd, $oraSid); function but the
oci_password_change($conn, $userID, $oldPwd, $newPwd); using the same
variable values was unable to properly authenticate to oracle?
Also, I discovered while I was testing, that when I changed my password
(using the webform) to Ddnn!$52, that I could no longer log into oracle
via any means. It seems like the value of the old/new password is
possibly being changed by the oci_password_change function.
Reproduce code:
---------------
<?php
if (isset($_POST['ibtnSubmit'])) {
$oraSid = stripslashes($_POST['itxtOraSID']);
$userID = stripslashes($_POST['itxtUserID']);
$oldPwd = stripslashes($_POST['ipwdOld']);
$newPwd = stripslashes($_POST['ipwdNew']);
$conn = @oci_new_connect($userID, $oldPwd, $oraSid);
if ($conn) {
$result = @oci_password_change($conn, $userID, $oldPwd,
$newPwd);
$e = ($result) ? array('message'=>'Success') : oci_error($conn);
@oci_close($conn);
} else { $e = oci_error(); }
} else { $e = array('message'=>'Please Change Your Password'); }
echo "<HTML>\n<HEAD>\n\t<TITLE>OCI Change Pwd
Test</TITLE>\n</HEAD>\n<BODY>\n" .
"<FORM METHOD='post'>\n<B>" . $e['message'] . "</B><HR>\n" .
"Oracle Instance: <INPUT TYPE='text'
NAME='itxtOraSID'><BR>\n"
.
"User Name: <INPUT TYPE='text' NAME='itxtUserID'><BR>\n" .
"Current Password: <INPUT TYPE='text'
NAME='ipwdOld'><BR>\n" .
"New Password: <INPUT TYPE='text' NAME='ipwdNew'><BR>\n" .
"<INPUT TYPE='submit' name='ibtnSubmit' VALUE='Change
Password'>\n"
.
"</FORM>\n</TABLE>\n</BODY>\n</HTML>\n";
?>
Expected result:
----------------
Password changed with no error if user submitted the correct password
information.
Actual result:
--------------
ORA-28008: invalid old password
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=33097&edit=1
