2

I have a form where the user enters their database information and can click a link that uses AJAX to send the credentials to this page. The problem I have is that as long as they enter the correct host name the script returns TRUE.

Is there another way to test this so that it will return FALSE if the username and password are not valid?

$h  =   urldecode($_GET['h']);
$u  =   urldecode($_GET['u']);
$p  =   urldecode($_GET['p']);

$con = mysql_connect($h, $u, $p);

if(!$con){
    echo 'Could not connect';
}

else{
    echo 'Connected';
}

Solved!

For future reference, the issue was that there where entries in the mysql user table for user = "Any". I removed those users and the script worked as expected. I updated this post to include a screen shot for anyone having similar problems. Thanks to Fabio below for the suggestion!

The user table in MYSQL included entries for "any" user.

Community
  • 1
  • 1
Robert
  • 69
  • 8
  • It shouldn't be doing this. The manual is absolutely clear that `false` is to be returned if the connection fails. Maybe the SQL server you are trying this with is misconfigured to accept any connection? Have you tried with another mySQL server? – Pekka Sep 05 '11 at 20:18
  • I'm using localhost right now (WAMP) so no. Give me a second and I'll try it on a remote server. – Robert Sep 05 '11 at 20:19
  • Okay connecting to a remote server isn't an option right now. I have narrowed the issue down to the username though as entering a random password gives me the "Could not connect" message. This would mean that it's accepting any username with no password attached. – Robert Sep 05 '11 at 20:29

1 Answers1

5

That's because mysql_connect uses some defaults when connecting which should be root for the username and the blank string for the password if I correctly remember it. Alternatively could be the username under which the webserver runs.

This could means that your db server accepts passwordless root connections (from the webserver machine), which is pretty dangerous. You should review your database configuration and user list.

From a security point of view your code is not very safe, db credentials are transmitted in cleartext, and as a rule of thumb db credentials should not be entered by end users (unless you're writing a PhpMyAdmin like tool).

Fabio
  • 18,856
  • 9
  • 82
  • 114
  • you should add,is your script running as ? – ajreal Sep 05 '11 at 20:29
  • I'm using localhost (WAMP) right now so I'm not too concerned about having a root connection with no password. Also, the fact that mysql_connect uses defaults shouldn't matter since it returns `TRUE` for _any_ username, not just blank ones. Oh and this is taken from the script's installer so I have to ask for db credentials. I don't think it's a problem that they're submitted in plain text for this same reason. – Robert Sep 05 '11 at 20:34
  • Then it should be something else, have you tried to log the `$h`,`$u` and `$p` variables? Try them with a non ajax call such as `http://hostname/script.php?h=somehost&u=foo&p=bar` and dump the values just before the `mysql_connect` call. – Fabio Sep 05 '11 at 20:42
  • Okay I tried a non-AJAX call and dumped the values and there wasn't anything unexpected there. The values are what I entered into the form (nothing being lost). – Robert Sep 05 '11 at 20:53
  • That's pretty strange. You should review your MySQL configuration, especially your users table. Since this is a local installation I think you could safely update your question with the content of user table of the mysql database. And make a try with the [command line client](http://www.manpagez.com/man/1/mysql/) by entering something like `mysql -u abcdef -h localhost -p` – Fabio Sep 05 '11 at 21:03
  • There were entries in the user table for "any" so I deleted them and it's working as expected now. Thanks for the help! I'll update with a photo for reference once I get enough reputation. – Robert Sep 05 '11 at 22:39