I've dealt with issues with not being able to connect to the database through PHP and know how to correct most of them fairly easily, however, I've got a really odd situation here. I'm running PHP 5.2.5, Apache 2.2.8, and SQL Server 2000 under Windows XP (don't laugh, I was given this setup and told to use it). The problem I have is that I don't have to issue a mssql_connect statement in order to run a query on the database. This poses a problem if I'm not very careful about user input and that input gets subsequently displayed anywhere. For example, this actually pulls data from the database:
[PHP]<?php
$query = mssql_query("SE LECT * FROM INFORMATION_SCH EMA.TABLES");
while($row = mssql_fetch_arr ay($query)){ print_r($row); }
?>[/PHP]
I've checked everything I know to check. Here are the highlights.
from php.ini:
disable_functio ns = mssql_pconnect, mysql_pconnect
mssql.allow_per sistent = Off
mssql.secure_co nnection = Off
SQL Server authentificatio n is set to "SQL Server and Windows" and the startup service account is not the system account nor the user logged in at any point. (didn't know if that was an issue or not)
I've denied all access to the database files through NTFS permissions. I can't even browse to them when logged in at this point.
I've rebooted the server several times, and yet somehow I'm still able to query the database without ever connecting & authenticating.
I'm a bit lost at the moment. Does anybody have any ideas as to what else I might look at?
Thanks in advance.
[PHP]<?php
$query = mssql_query("SE LECT * FROM INFORMATION_SCH EMA.TABLES");
while($row = mssql_fetch_arr ay($query)){ print_r($row); }
?>[/PHP]
I've checked everything I know to check. Here are the highlights.
from php.ini:
disable_functio ns = mssql_pconnect, mysql_pconnect
mssql.allow_per sistent = Off
mssql.secure_co nnection = Off
SQL Server authentificatio n is set to "SQL Server and Windows" and the startup service account is not the system account nor the user logged in at any point. (didn't know if that was an issue or not)
I've denied all access to the database files through NTFS permissions. I can't even browse to them when logged in at this point.
I've rebooted the server several times, and yet somehow I'm still able to query the database without ever connecting & authenticating.
I'm a bit lost at the moment. Does anybody have any ideas as to what else I might look at?
Thanks in advance.
Comment