If that is the case then why does logging in with exactly the same params from 
a UNIX shell work fine? Command line login supposedly would be adding the 
@localhost or @IP_address as well but isn't. Only when I pass the variables to 
the script is that happening.

I am doing exactly as you stated:

> mysql_connect('localhost', $_POST['username'], $_POST['password']);

Except that I am first storing $_POST['username'] in local $user and 
$_POST['password'] in local $pass first and then passing those to 
mysql_connect. And I am connecting to a remote server, not localhost.

I have already documented both the exact HTML and PHP code in this thread and 
so see no need to post it elsewhere.

On Apr 21, 2013, at 6:32 AM, Stuart Dallas <stu...@3ft9.com> wrote:

> On 21 Apr 2013, at 11:20, Glob Design Info <i...@globdesign.com> wrote:
>> I don't understand why mysql_connect should append something in the case of 
>> a passed variable but not in the case of a local variable. Unless there is 
>> something in the form parsing machinery I am unaware of.
> Nothing is being added by anything. When you log in to MySQL it takes both 
> the username and the IP address/hostname of the machine you're logging in 
> from and looks those up in the users table. This means that user abc logging 
> in on localhost becomes abc@localhost. User abc logging in from 
> becomes abc@, and is treated as a completely separate user from 
> abc@localhost.
> The host comes from your end of the connection. So if you connect on 
> localhost, your end is also localhost. If you connect on the IP address or 
> hostname, your end is the rDNS lookup of your IP address - note that this may 
> be the same address as the one to which you are connecting, but will 
> represent a different user to @localhost as far as MySQL is concerned.
> The only thing that may be being added to the variable when the form data is 
> parsed is slashes, and then only if you have magic_quotes_gpc switched on in 
> php.ini. I believe this has already been eliminated as the cause earlier in 
> this thread.
> The problem you describe is not possible, so I'm betting your description is 
> missing something. Given a request with POST parameters of username=abc and 
> password=def, the following two lines are equivalent:
>  mysql_connect('localhost', 'abc', 'def');
>  mysql_connect('localhost', $_POST['username'], $_POST['password']);
> If this is exactly what you're doing then something very strange is going on. 
> If this is not exactly what you're doing, please narrow your code down to the 
> minimum required to demonstrate the problem and post it somewhere like 
> gist.com then send us the link.
> However, a more important question for me is why you are doing this. You say 
> you are aware of the security implications, and that you'll "deal with that 
> later," but I question how you're going to deal with it. What exactly are you 
> developing that requires DB credentials to come from a form on a web page?
> -Stuart
> -- 
> Stuart Dallas
> 3ft9 Ltd
> http://3ft9.com/

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to