If that is the case then why does logging in with exactly the same params from a UNIX shell work fine? Command line login supposedly would be adding the @localhost or @IP_address as well but isn't. Only when I pass the variables to the script is that happening.
I am doing exactly as you stated: > mysql_connect('localhost', $_POST['username'], $_POST['password']); Except that I am first storing $_POST['username'] in local $user and $_POST['password'] in local $pass first and then passing those to mysql_connect. And I am connecting to a remote server, not localhost. I have already documented both the exact HTML and PHP code in this thread and so see no need to post it elsewhere. On Apr 21, 2013, at 6:32 AM, Stuart Dallas <stu...@3ft9.com> wrote: > On 21 Apr 2013, at 11:20, Glob Design Info <i...@globdesign.com> wrote: > >> I don't understand why mysql_connect should append something in the case of >> a passed variable but not in the case of a local variable. Unless there is >> something in the form parsing machinery I am unaware of. > > Nothing is being added by anything. When you log in to MySQL it takes both > the username and the IP address/hostname of the machine you're logging in > from and looks those up in the users table. This means that user abc logging > in on localhost becomes abc@localhost. User abc logging in from 192.168.0.187 > becomes abc@192.168.0.187, and is treated as a completely separate user from > abc@localhost. > > The host comes from your end of the connection. So if you connect on > localhost, your end is also localhost. If you connect on the IP address or > hostname, your end is the rDNS lookup of your IP address - note that this may > be the same address as the one to which you are connecting, but will > represent a different user to @localhost as far as MySQL is concerned. > > The only thing that may be being added to the variable when the form data is > parsed is slashes, and then only if you have magic_quotes_gpc switched on in > php.ini. I believe this has already been eliminated as the cause earlier in > this thread. > > The problem you describe is not possible, so I'm betting your description is > missing something. Given a request with POST parameters of username=abc and > password=def, the following two lines are equivalent: > > mysql_connect('localhost', 'abc', 'def'); > mysql_connect('localhost', $_POST['username'], $_POST['password']); > > If this is exactly what you're doing then something very strange is going on. > If this is not exactly what you're doing, please narrow your code down to the > minimum required to demonstrate the problem and post it somewhere like > gist.com then send us the link. > > However, a more important question for me is why you are doing this. You say > you are aware of the security implications, and that you'll "deal with that > later," but I question how you're going to deal with it. What exactly are you > developing that requires DB credentials to come from a form on a web page? > > -Stuart > > -- > Stuart Dallas > 3ft9 Ltd > http://3ft9.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php