UPDATE (10-31-06): It took a couple of repsonses to get the PHP folks to pull their heads out of their butts. The case has been open for a month, and it’s just a silly documentation error, but the PHP folks don’t take their product seriously enough to fix it.
UPDATE (9-27-06): The idiots who make PHP marked my bug report as “bogus.” (link) So much for PHP. What a joke of a script platform.
In attempting to install phpBB, I discovered a major PHP flaw.
PHP provides extensions to its core functionality called PECL (PHP Extensions Community Library). Even though they are called extensions, these packages provide important functionality like XML DOM, encryption, etc.
phpBB supports several databases. Since I work at a mostly Microsoft shop, I use SQL Server. phpBB uses PHP’s mssql extension for database communications.
The PHP script engine installed fine on my Windows 2003 SP1 server, and I got a Hello, world! app running very quickly. I then installed phpBB. The initial install page came up OK, but after entering my database configuration information, I kept getting an obtuse error:
phpBB : Critical Error
Could not connect to the database
What poor programming! The phpBB folks apparently can’t be bothered to give meaningful error messages. Even experienced folks at phpBB couldn’t figure out that error.
After a lot of futzing, I determined that phpBB was unable to talk to SQL Server, no matter what I did or checked. So I sniffed my network connection with Wireshark (formerly Ethereal) and found that php.exe was trying to talk to my SQL Server box using ports 445 and 139. That wasn’t what I expected; SQL Server connections normally use port 1433.
Further digging uncovered a major bug with how PHP talks to external SQL Servers. Apparently, PHP was trying to created a named pipe to SQL Server. Named pipes are an outdated, complicated way of talking to SQL Servers that have been superseded with standard TCP 1433 connections.
More Google searches turned up that this has been an problem since at least 2002. It can be fixed with a registry hack: find the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Client\ConnectTo registry key (create it if it doesn’t exist), and add a new string DSQUERY=DBNETLIB. In doing that, you tell the SQL Server Client, which mssql uses for the actual SQL Server communications, to use standard TCP instead of named pipes. This hack was buried on a PHP comment page about the mssql_connect function.
Is this a safe hack? Will it affect other applications? I don’t know for sure, but I’ll bet it won’t hurt anything. Apparently it just tells the SQL Server Client to use a DLL named dbnetlib.dll, a TCP/IP client connection library that comes with MDAC.
Why has the PHP team allowed this bug to live for at least 4 years? If they fail to cover major bugs like this, what else have they missed? Are PHP users exposed to the next major PHP security flaws?
By the way, this problem only affects SQL Servers that are on a different machine than the web server. It appears that SQL Servers on the same machine apparently work fine.