mysql - PHP: mysql_connect not returning FALSE

Question

I have a form where the user enters their database information and can click a link that uses AJAX to send the credentials to this page. The problem I have is that as long as they enter the correct host name the script returns TRUE.

Is there another way to test this so that it will return FALSE if the username and password are not valid?

$h  =   urldecode($_GET['h']);
$u  =   urldecode($_GET['u']);
$p  =   urldecode($_GET['p']);

$con = mysql_connect($h, $u, $p);

if(!$con){
    echo 'Could not connect';
}

else{
    echo 'Connected';
}

Solved!

For future reference, the issue was that there where entries in the mysql user table for user = "Any". I removed those users and the script worked as expected. I updated this post to include a screen shot for anyone having similar problems. Thanks to Fabio below for the suggestion!

Answer 1

That's because mysql_connect uses some defaults when connecting which should be root for the username and the blank string for the password if I correctly remember it. Alternatively could be the username under which the webserver runs.

This could means that your db server accepts passwordless root connections (from the webserver machine), which is pretty dangerous. You should review your database configuration and user list.

From a security point of view your code is not very safe, db credentials are transmitted in cleartext, and as a rule of thumb db credentials should not be entered by end users (unless you're writing a PhpMyAdmin like tool).