Re: Re: mysql_connect noob question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 21 Apr 2013, at 11:20, Glob Design Info <info@xxxxxxxxxxxxxx> wrote:

> I don't understand why mysql_connect should append something in the case of a passed variable but not in the case of a local variable. Unless there is something in the form parsing machinery I am unaware of.

Nothing is being added by anything. When you log in to MySQL it takes both the username and the IP address/hostname of the machine you're logging in from and looks those up in the users table. This means that user abc logging in on localhost becomes abc@localhost. User abc logging in from 192.168.0.187 becomes abc@192.168.0.187, and is treated as a completely separate user from abc@localhost.

The host comes from your end of the connection. So if you connect on localhost, your end is also localhost. If you connect on the IP address or hostname, your end is the rDNS lookup of your IP address - note that this may be the same address as the one to which you are connecting, but will represent a different user to @localhost as far as MySQL is concerned.

The only thing that may be being added to the variable when the form data is parsed is slashes, and then only if you have magic_quotes_gpc switched on in php.ini. I believe this has already been eliminated as the cause earlier in this thread.

The problem you describe is not possible, so I'm betting your description is missing something. Given a request with POST parameters of username=abc and password=def, the following two lines are equivalent:

  mysql_connect('localhost', 'abc', 'def');
  mysql_connect('localhost', $_POST['username'], $_POST['password']);

If this is exactly what you're doing then something very strange is going on. If this is not exactly what you're doing, please narrow your code down to the minimum required to demonstrate the problem and post it somewhere like gist.com then send us the link.

However, a more important question for me is why you are doing this. You say you are aware of the security implications, and that you'll "deal with that later," but I question how you're going to deal with it. What exactly are you developing that requires DB credentials to come from a form on a web page?

-Stuart

-- 
Stuart Dallas
3ft9 Ltd
http://3ft9.com/
-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux