If that is the case then why does logging in with exactly the same params from a UNIX shell work fine? Command line login supposedly would be adding the @localhost or @IP_address as well but isn't. Only when I pass the variables to the script is that happening. I am doing exactly as you stated: > mysql_connect('localhost', $_POST['username'], $_POST['password']); Except that I am first storing $_POST['username'] in local $user and $_POST['password'] in local $pass first and then passing those to mysql_connect. And I am connecting to a remote server, not localhost. I have already documented both the exact HTML and PHP code in this thread and so see no need to post it elsewhere. On Apr 21, 2013, at 6:32 AM, Stuart Dallas <stuart@xxxxxxxx> wrote: > On 21 Apr 2013, at 11:20, Glob Design Info <info@xxxxxxxxxxxxxx> wrote: > >> I don't understand why mysql_connect should append something in the case of a passed variable but not in the case of a local variable. Unless there is something in the form parsing machinery I am unaware of. > > Nothing is being added by anything. When you log in to MySQL it takes both the username and the IP address/hostname of the machine you're logging in from and looks those up in the users table. This means that user abc logging in on localhost becomes abc@localhost. User abc logging in from 192.168.0.187 becomes abc@192.168.0.187, and is treated as a completely separate user from abc@localhost. > > The host comes from your end of the connection. So if you connect on localhost, your end is also localhost. If you connect on the IP address or hostname, your end is the rDNS lookup of your IP address - note that this may be the same address as the one to which you are connecting, but will represent a different user to @localhost as far as MySQL is concerned. > > The only thing that may be being added to the variable when the form data is parsed is slashes, and then only if you have magic_quotes_gpc switched on in php.ini. I believe this has already been eliminated as the cause earlier in this thread. > > The problem you describe is not possible, so I'm betting your description is missing something. Given a request with POST parameters of username=abc and password=def, the following two lines are equivalent: > > mysql_connect('localhost', 'abc', 'def'); > mysql_connect('localhost', $_POST['username'], $_POST['password']); > > If this is exactly what you're doing then something very strange is going on. If this is not exactly what you're doing, please narrow your code down to the minimum required to demonstrate the problem and post it somewhere like gist.com then send us the link. > > However, a more important question for me is why you are doing this. You say you are aware of the security implications, and that you'll "deal with that later," but I question how you're going to deal with it. What exactly are you developing that requires DB credentials to come from a form on a web page? > > -Stuart > > -- > Stuart Dallas > 3ft9 Ltd > http://3ft9.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php