On 21 Apr 2013, at 11:20, Glob Design Info <i...@globdesign.com> wrote:

> I don't understand why mysql_connect should append something in the case of a 
> passed variable but not in the case of a local variable. Unless there is 
> something in the form parsing machinery I am unaware of.

Nothing is being added by anything. When you log in to MySQL it takes both the 
username and the IP address/hostname of the machine you're logging in from and 
looks those up in the users table. This means that user abc logging in on 
localhost becomes abc@localhost. User abc logging in from becomes 
abc@, and is treated as a completely separate user from 

The host comes from your end of the connection. So if you connect on localhost, 
your end is also localhost. If you connect on the IP address or hostname, your 
end is the rDNS lookup of your IP address - note that this may be the same 
address as the one to which you are connecting, but will represent a different 
user to @localhost as far as MySQL is concerned.

The only thing that may be being added to the variable when the form data is 
parsed is slashes, and then only if you have magic_quotes_gpc switched on in 
php.ini. I believe this has already been eliminated as the cause earlier in 
this thread.

The problem you describe is not possible, so I'm betting your description is 
missing something. Given a request with POST parameters of username=abc and 
password=def, the following two lines are equivalent:

  mysql_connect('localhost', 'abc', 'def');
  mysql_connect('localhost', $_POST['username'], $_POST['password']);

If this is exactly what you're doing then something very strange is going on. 
If this is not exactly what you're doing, please narrow your code down to the 
minimum required to demonstrate the problem and post it somewhere like gist.com 
then send us the link.

However, a more important question for me is why you are doing this. You say 
you are aware of the security implications, and that you'll "deal with that 
later," but I question how you're going to deal with it. What exactly are you 
developing that requires DB credentials to come from a form on a web page?


Stuart Dallas
3ft9 Ltd
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to