2

I have a form where the user enters their database information and can click a link that uses AJAX to send the credentials to this page. The problem I have is that as long as they enter the correct host name the script returns TRUE.

Is there another way to test this so that it will return FALSE if the username and password are not valid?

$h  =   urldecode($_GET['h']);
$u  =   urldecode($_GET['u']);
$p  =   urldecode($_GET['p']);

$con = mysql_connect($h, $u, $p);

if(!$con){
    echo 'Could not connect';
}

else{
    echo 'Connected';
}

Solved!

For future reference, the issue was that there where entries in the mysql user table for user = "Any". I removed those users and the script worked as expected. I updated this post to include a screen shot for anyone having similar problems. Thanks to Fabio below for the suggestion!

The user table in MYSQL included entries for "any" user.

Improve this question
3
  • It shouldn't be doing this. The manual is absolutely clear that false is to be returned if the connection fails. Maybe the SQL server you are trying this with is misconfigured to accept any connection? Have you tried with another mySQL server? Commented Sep 5, 2011 at 20:18
  • I'm using localhost right now (WAMP) so no. Give me a second and I'll try it on a remote server. Commented Sep 5, 2011 at 20:19
  • Okay connecting to a remote server isn't an option right now. I have narrowed the issue down to the username though as entering a random password gives me the "Could not connect" message. This would mean that it's accepting any username with no password attached. Commented Sep 5, 2011 at 20:29

1 Answer 1

Reset to default
5

That's because mysql_connect uses some defaults when connecting which should be root for the username and the blank string for the password if I correctly remember it. Alternatively could be the username under which the webserver runs.

This could means that your db server accepts passwordless root connections (from the webserver machine), which is pretty dangerous. You should review your database configuration and user list.

From a security point of view your code is not very safe, db credentials are transmitted in cleartext, and as a rule of thumb db credentials should not be entered by end users (unless you're writing a PhpMyAdmin like tool).

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

you should add,is your script running as ?
I'm using localhost (WAMP) right now so I'm not too concerned about having a root connection with no password. Also, the fact that mysql_connect uses defaults shouldn't matter since it returns TRUE for any username, not just blank ones. Oh and this is taken from the script's installer so I have to ask for db credentials. I don't think it's a problem that they're submitted in plain text for this same reason.
Then it should be something else, have you tried to log the $h,$u and $p variables? Try them with a non ajax call such as http://hostname/script.php?h=somehost&u=foo&p=bar and dump the values just before the mysql_connect call.
Okay I tried a non-AJAX call and dumped the values and there wasn't anything unexpected there. The values are what I entered into the form (nothing being lost).
That's pretty strange. You should review your MySQL configuration, especially your users table. Since this is a local installation I think you could safely update your question with the content of user table of the mysql database. And make a try with the command line client by entering something like mysql -u abcdef -h localhost -p
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.