On 21 Apr 2013, at 20:29, Glob Design Info <info@xxxxxxxxxxxxxx> wrote:
> If that is the case then why does logging in with exactly the same params from a UNIX shell work fine? Command line login supposedly would be adding the @localhost or @IP_address as well but isn't. Only when I pass the variables to the script is that happening.
What makes you so sure it's not?
It is. I promise you it is. You're not seeing it because you're not getting an error logging in. Do it on the command line again, but use a username that doesn't exist and you will see the host it's adding in the error message.
> I am doing exactly as you stated:
>
>> mysql_connect('localhost', $_POST['username'], $_POST['password']);
>
> Except that I am first storing $_POST['username'] in local $user and $_POST['password'] in local $pass first and then passing those to mysql_connect. And I am connecting to a remote server, not localhost.
Side note: why are you putting them in other variables first when you're only going to use them in that one place? It's a waste of memory. It's a minor niggle but it's a pet hate of mine.
> I have already documented both the exact HTML and PHP code in this thread and so see no need to post it elsewhere.
And you're saying that when, instead of using $_POST variables you hard-code the username and password in the script it work? I doubt it.
On the command line are you simply doing "mysql -u <username> -p" and then entering the password? In that case it's using localhost. Is MySQL running on the same server as PHP? If so, try changing the remove server name to "localhost" in your script. I'm better a magnum of decent champagne that it works.
It's very rare (and pretty stupid) for a web host to allow remote servers to connect to their MySQL instances, unless they have a shared MySQL instance for all of their customers. Given that you have command line access to the MySQL server, and can log in without specifying the host, I'm thinking you're trying to use it in a way they don't allow.
-Stuart
--
Stuart Dallas
3ft9 Ltd
http://3ft9.com/
> On Apr 21, 2013, at 6:32 AM, Stuart Dallas <stuart@xxxxxxxx> wrote:
>
>> On 21 Apr 2013, at 11:20, Glob Design Info <info@xxxxxxxxxxxxxx> wrote:
>>
>>> I don't understand why mysql_connect should append something in the case of a passed variable but not in the case of a local variable. Unless there is something in the form parsing machinery I am unaware of.
>>
>> Nothing is being added by anything. When you log in to MySQL it takes both the username and the IP address/hostname of the machine you're logging in from and looks those up in the users table. This means that user abc logging in on localhost becomes abc@localhost. User abc logging in from 192.168.0.187 becomes abc@192.168.0.187, and is treated as a completely separate user from abc@localhost.
>>
>> The host comes from your end of the connection. So if you connect on localhost, your end is also localhost. If you connect on the IP address or hostname, your end is the rDNS lookup of your IP address - note that this may be the same address as the one to which you are connecting, but will represent a different user to @localhost as far as MySQL is concerned.
>>
>> The only thing that may be being added to the variable when the form data is parsed is slashes, and then only if you have magic_quotes_gpc switched on in php.ini. I believe this has already been eliminated as the cause earlier in this thread.
>>
>> The problem you describe is not possible, so I'm betting your description is missing something. Given a request with POST parameters of username=abc and password=def, the following two lines are equivalent:
>>
>> mysql_connect('localhost', 'abc', 'def');
>> mysql_connect('localhost', $_POST['username'], $_POST['password']);
>>
>> If this is exactly what you're doing then something very strange is going on. If this is not exactly what you're doing, please narrow your code down to the minimum required to demonstrate the problem and post it somewhere like gist.com then send us the link.
>>
>> However, a more important question for me is why you are doing this. You say you are aware of the security implications, and that you'll "deal with that later," but I question how you're going to deal with it. What exactly are you developing that requires DB credentials to come from a form on a web page?
>>
>> -Stuart
>>
>> --
>> Stuart Dallas
>> 3ft9 Ltd
>> http://3ft9.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
