mysql_close
Hiding the MySQL password is a big deal on multi-user machines.
With Lighttpd you can store the passwords in the server-config and make that file readable by root only.
This is the way (make sure you enable mod_setenv):
# Security through setenv
$HTTP["url"] =~ "^/~user/base-dir/" {
setenv.add-environment = (
"MYSQL_USERNAME" => "username",
"MYSQL_PASSWORD" => "password"
)
}
Your PHP file should then read the username/password as follows:
<?php
$username = getenv('MYSQL_USERNAME');
$password = getenv('MYSQL_PASSWORD');
?>
Mind that additional 'false-checking' is good practice.
mysql_connect
(PHP 4, PHP 5, PECL mysql:1.0)
mysql_connect — Open a connection to a MySQL Server
Description
resource mysql_connect
([ string $server
[, string $username
[, string $password
[, bool $new_link
[, int $client_flags
]]]]] )
Opens or reuses a connection to a MySQL server.
Parameters
- server
-
The MySQL server. It can also include a port number. e.g. "hostname:port" or a path to a local socket e.g. ":/path/to/socket" for the localhost.
If the PHP directive mysql.default_host is undefined (default), then the default value is 'localhost:3306'. In SQL safe mode, this parameter is ignored and value 'localhost:3306' is always used.
- username
-
The username. Default value is defined by mysql.default_user. In SQL safe mode, this parameter is ignored and the name of the user that owns the server process is used.
- password
-
The password. Default value is defined by mysql.default_password. In SQL safe mode, this parameter is ignored and empty password is used.
- new_link
-
If a second call is made to mysql_connect() with the same arguments, no new link will be established, but instead, the link identifier of the already opened link will be returned. The new_link parameter modifies this behavior and makes mysql_connect() always open a new link, even if mysql_connect() was called before with the same parameters. In SQL safe mode, this parameter is ignored.
- client_flags
-
The client_flags parameter can be a combination of the following constants: 128 (enable LOAD DATA LOCAL handling), MYSQL_CLIENT_SSL, MYSQL_CLIENT_COMPRESS, MYSQL_CLIENT_IGNORE_SPACE or MYSQL_CLIENT_INTERACTIVE. Read the section about Predefined Constants for further information. In SQL safe mode, this parameter is ignored.
Return Values
Returns a MySQL link identifier on success, or FALSE on failure.
ChangeLog
| Version | Description |
|---|---|
| 4.3.0 | Added the client_flags parameter. |
| 4.2.0 | Added the new_link parameter. |
| 3.0.10 | Added support for ":/path/to/socket" with server . |
| 3.0.0 | Added support for ":port" with server . |
Examples
Example #1 mysql_connect() example
<?php
$link = mysql_connect('localhost', 'mysql_user', 'mysql_password');
if (!$link) {
die('Could not connect: ' . mysql_error());
}
echo 'Connected successfully';
mysql_close($link);
?>
Example #2 mysql_connect() example using hostname:port syntax
<?php
// we connect to example.com and port 3307
$link = mysql_connect('example.com:3307', 'mysql_user', 'mysql_password');
if (!$link) {
die('Could not connect: ' . mysql_error());
}
echo 'Connected successfully';
mysql_close($link);
// we connect to localhost at port 3307
$link = mysql_connect('127.0.0.1:3307', 'mysql_user', 'mysql_password');
if (!$link) {
die('Could not connect: ' . mysql_error());
}
echo 'Connected successfully';
mysql_close($link);
?>
Example #3 mysql_connect() example using ":/path/to/socket" syntax
<?php
// we connect to localhost and socket e.g. /tmp/mysql.sock
//variant 1: ommit localhost
$link = mysql_connect('/tmp/mysql', 'mysql_user', 'mysql_password');
if (!$link) {
die('Could not connect: ' . mysql_error());
}
echo 'Connected successfully';
mysql_close($link);
// variant 2: with localhost
$link = mysql_connect('localhost:/tmp/mysql.sock', 'mysql_user', 'mysql_password');
if (!$link) {
die('Could not connect: ' . mysql_error());
}
echo 'Connected successfully';
mysql_close($link);
?>
Notes
Note: Whenever you specify "localhost" or "localhost:port" as server, the MySQL client library will override this and try to connect to a local socket (named pipe on Windows). If you want to use TCP/IP, use "127.0.0.1" instead of "localhost". If the MySQL client library tries to connect to the wrong local socket, you should set the correct path as Runtime Configuration in your PHP configuration and leave the server field blank.
Note: The link to the server will be closed as soon as the execution of the script ends, unless it's closed earlier by explicitly calling mysql_close().
Note: You can suppress the error message on failure by prepending a @ to the function name.
Note: Error "Can't create TCP/IP socket (10106)" usually means that the variables_order configure directive doesn't contain character E. On Windows, if the environment is not copied the SYSTEMROOT environment variable won't be available and PHP will have problems loading Winsock.
add a note
User Contributed Notesmysql_connect
Jouke Witteveen
03-May-2008 09:17
03-May-2008 09:17
arithmetric at gmail dot com
25-Mar-2008 11:59
25-Mar-2008 11:59
If you are trying to open multiple, separate MySQL connections with the same MySQL user, password, and hostname, you must set $new_link = TRUE to prevent mysql_connect from using an existing connection.
For example, you are opening two separate connections to two different databases (but on the same host, and with the same user and password):
$db1 = mysql_connect($dbhost, $dbuser, $dbpass);
$rv = mysql_select_db($dbname1, $db1);
$db2 = mysql_connect($dbhost, $dbuser, $dbpass);
$rv = mysql_select_db($dbname2, $db2);
At this point, both $db1 and $db2 will have selected the database named by $dbname2.
The workaround is to require that the second MySQL connection is new:
$db1 = mysql_connect($dbhost, $dbuser, $dbpass);
$rv = mysql_select_db($dbname1, $db1);
$db2 = mysql_connect($dbhost, $dbuser, $dbpass, TRUE);
$rv = mysql_select_db($dbname2, $db2);
Now, $db1 should have selected $dbname1, and $db2 should have selected $dbname2.
This has been documented on the mysql_select_db page as well.
Note: This occurs only when the server, username, and password parameters are identical for each mysql_connect statement.
aeolianmeson at blitzeclipse dot com
03-Mar-2008 12:15
03-Mar-2008 12:15
Recently, I saw an obscure problem where I could connect to MySQL from the PHP via Apache and MySQL via the MySQL console, and could not connect via the PHP-CLI. This was in Windows (XP). I usually use MySQLi extension, but also tried MySQL, and both refused to work.
I restarted the service multiple times, and the PHP-CLI still would not connect.
This eventually cleared up.
I made sure to stop the service. Then, I downloaded a zipped binary-package from dev.mysql.com and started the server a few times from the commandline (mysqld/mysqld-nt, where mysqld-nt is tuned specifically for Windows) and stopped it ("mysqladmin shutdown"). I was then able to successfully connect from the PHP-CLI ("php -r "mysql_connect('localhost', 'root', ''); ").
Making sure it was stopped, I started the regular server from the commandline, and that was then successful. I then stopped it and started it via the Services panel, and everything still worked.
I'm assuming that when the service was restarted initially, there was a component that had died and refused to be shutdown even though the service appeared to be stopped, but shutting it down via mysqladmin killed everything entirely.
dan at novapulsar dot com
11-Feb-2008 11:24
11-Feb-2008 11:24
Looks like I learned this the hard way:
<?
//establish connection to master db server
mysql_connect (DB_HOST, DB_USER, DB_PASSWORD);
mysql_select_db (DB_NAME);
//establish connection to read-only slave cluster
$objMySQL_Read = mysql_connect (SLAVE_DB_HOST, SLAVE_DB_USER, SLAVE_DB_PASSWORD);
mysql_select_db (DB_NAME, $objMySQL_Read);
$strSQL = "SELECT col1,col2 FROM " . DB_NAME . "." . "tbl1 WHERE 1=1";
$objRS = mysql_query ($strSQL, $objMySQL_Read); //returns data from slaves
$strSQL = "INSERT INTO " . DB_NAME . "." . "tbl1 (col1,col2) VALUES (val1,val2)";
mysql_query ($strSQL);
//expected behavior, to insert the last statement into the master db, since it doesn't reference the read-only resource explicitly. instead, it inserts the record into the last connection, even though it shouldn't, since the last connection is not a global/anonymous connection like the first one, it's $objMySQL_Read.
//you'll get out of sync db's across your cluster unless you explicitly define all connection resources
?>
Steve
24-Dec-2007 03:32
24-Dec-2007 03:32
The too many connections issue can be due to several problems.
1. you are using pconnect. This can tie up many connections and is not really needed for MySQL as new connections are really fast.
2. Apache children are hanging around for too long - combine this with pconnect and you have recipe for disaster.
Suggestions: reduce the amount of time apache child processes stay connected to the client and how many connections before they are killed off. And don't use pconnect.
Ignacio Casinelli Esviza
20-Oct-2007 10:51
20-Oct-2007 10:51
Sometimes, I want that MySQL service start automatically when my app need it. This is specially true if you work in a development PC and/or in an small intranet environment.
You can do something like this: if the mysql_connect() function returns FALSE, try to force the initialization of the MySQL service!
For example, under Windows:
<?php
$link = @mysql_connect($server,$user,$pass);
if (empty($link)){
@exec("%SystemRoot%\\system32\\net.exe start mysql");
sleep(5);
$link = @mysql_connect($servidor,$usuario,$clave);
}
?>
In Linux of course you can try "/etc/init.d/mysqld start" but you will need special permissions.
Regards.
Peter Robinett
02-Oct-2007 06:20
02-Oct-2007 06:20
The use of mysql connections can become tricky with objects. I am using mysql_connect() in a database class I wrote and the class destructor calls mysql_close. Because I have several of these database objects, mysql_connect reuses existing connections. This is fine except when the script reaches the end of execution and PHP's garabage collection calls all the objects' __destruct() functions. mysql_close() throws a warning that the connection is invalid, in my case for one object. This is happening with objects which use an existing connection, as the connection has already been closed. I solved the problem by forcing mysql_connect() to create a new connection each time. This is not efficient but is sufficient for my purposes for now.
I wouldn't say this is a bug per-se, but it's something to look out for. I imagine using mysqli is the ultimate solution...
aichi
13-Aug-2007 09:11
13-Aug-2007 09:11
All constants from MySQL source:
#define CLIENT_LONG_PASSWORD 1 /* new more secure passwords */
#define CLIENT_FOUND_ROWS 2 /* Found instead of affected rows */
#define CLIENT_LONG_FLAG 4 /* Get all column flags */
#define CLIENT_CONNECT_WITH_DB 8 /* One can specify db on connect */
#define CLIENT_NO_SCHEMA 16 /* Don't allow database.table.column */
#define CLIENT_COMPRESS 32 /* Can use compression protocol */
#define CLIENT_ODBC 64 /* Odbc client */
#define CLIENT_LOCAL_FILES 128 /* Can use LOAD DATA LOCAL */
#define CLIENT_IGNORE_SPACE 256 /* Ignore spaces before '(' */
#define CLIENT_PROTOCOL_41 512 /* New 4.1 protocol */
#define CLIENT_INTERACTIVE 1024 /* This is an interactive client */
#define CLIENT_SSL 2048 /* Switch to SSL after handshake */
#define CLIENT_IGNORE_SIGPIPE 4096 /* IGNORE sigpipes */
#define CLIENT_TRANSACTIONS 8192 /* Client knows about transactions */
#define CLIENT_RESERVED 16384 /* Old flag for 4.1 protocol */
#define CLIENT_SECURE_CONNECTION 32768 /* New 4.1 authentication */
#define CLIENT_MULTI_STATEMENTS 65536 /* Enable/disable multi-stmt support */
#define CLIENT_MULTI_RESULTS 131072 /* Enable/disable multi-results */
#define CLIENT_REMEMBER_OPTIONS (((ulong) 1) << 31)
jslakva at gmail dot com
08-Apr-2007 06:05
08-Apr-2007 06:05
if between first and second call with same arguments there was another call with another argument, initial connection link is not reused, but new connection is created instead, regardless of new_link argument.
for example, here only one single link will be opened and then reused:
<?php
$link1 = mysql_connect("localhost");
$link2 = mysql_connect("localhost");
?>
and here _three_ separate links will be opened:
<?php
$link1 = mysql_connect("localhost");
$link3 = mysql_connect("127.0.0.1");
$link2 = mysql_connect("localhost");
?>
so if you wanted to switch between connections just by call to mysql_connect, and rely on its internal link caching, you can be wasting your database connections.
angelo [at] mandato <dot> com
19-Mar-2007 02:07
19-Mar-2007 02:07
The post from 'Graham_Rule at ed dot ac dot uk' should include the following WARNING:
WARING: THE VALUES OF THESE DIRECTIVES WILL BE EXPOSED IF ANY OF THE CODE INCLUDES THE phpinfo() FUNCTION.
The phpinfo() function will print these values clear as day. I highly suggest against this method of storing MySQL authentication information.
I recommend creating connect and cleanup functions in a separate include file. If security is a concern, locate the include file outside of your web root folder.
<?php
$g_link = false;
function GetMyConnection()
{
global $g_link;
if( $g_link )
return $g_link;
$g_link = mysql_connect( 'host.name', 'user', 'password') or die('Could not connect to server.' );
mysql_select_db('database_name', $g_link) or die('Could not select database.');
return $g_link;
}
function CleanUpDB()
{
global $g_link;
if( $g_link != false )
mysql_close($g_link);
$g_link = false;
}
?>
Simply include your connnection.php file in your script and anywhere you use the mysql_query() function include a call to the GetMyConnection() function.
<?php
$res = mysql_query("SELECT ...", GetMyConnection() );
?>
sky dot sama dot remove dot dots at Gmail dot com
12-Dec-2006 08:42
12-Dec-2006 08:42
In case anyone else is getting "Client does not support authentication protocol requested by server; consider upgrading MySQL client" error. The problem is the new password hashing method used by MySQL >= 4.1 mentioned below.
Either update your PHP to v5 where the new password hashing is supported or use old_password() in MySQL 4.1.
FROM: http://www.digitalpeer.com/id/mysql
UPDATE mysql.user SET password=old_password("youroldhashpassword") WHERE user ='youruserid' and host ='yourhost'
then do
FLUSH PRIVILEGES
Graham_Rule at ed dot ac dot uk
10-Nov-2006 01:59
10-Nov-2006 01:59
How to get at multiple MySQL databases from PHP while continuing to hide the user credentials in Apache configuration files.
(This builds on my solution to the problem of hiding such credentials that I posted in May 2003 at http://uk2.php.net/manual/en/function.mysql-connect.php#32035)
<Directory /var/www/html/multidatabase>
php_value mysql.default_user "username1 username2"
php_value mysql.default_password "secret private"
php_value mysql.default_host "localhost server.example.com"
</Directory>
Note that the quotes are necessary to prevent the parser complaining about seeing too many parameters for php_value.
Given this setup in Apache, our script can fetch the composite value
$hostnames = @ini_get('mysql.default_host'); Split it into its component parts
$hostnames = preg_split("/[\s]+/", $hostnames); Then use the values in this array as if we had hard-coded:
$hostnames[0] = "localhost";
$hostnames[1] = "server.example.com"
Similar code may be written to fetch the usernames and passwords.
(One 'gotcha' with the mysql_error() function is that it will not give a sensible error report if there is a failure to open a second or subsequent connection. It uses the last successfully opened connection as the basis for its message!)
Graham_Rule at ed dot ac dot uk
10-Nov-2006 01:43
10-Nov-2006 01:43
The addition of entries to httpd.conf to stop .inc files being served by Apache is certainly useful and to be recommended.
But it doesn't change the fact that these files have to be readable by Apache so that the PHP processor can get at them.
As long as your don't have multiple, possibly untrusted, users on your machine then that's OK. But when you are running a large multi-user service with thousands of users its always possible that one of them will look at your .inc files and take a note of the passwords you have in them. They could even copy them into their own scripts and modify your databases!
Even if local users are trusted, there is always the possibility of a rogue script (PHP or some nastier language) being installed by an ignorant user. That script might then read your .inc files (whether or not they are in the web publishing tree) and expose your password.
brinca at substancia dot com
09-Nov-2006 07:43
09-Nov-2006 07:43
If you prefer to use a hostname instead of an ip on your connection string in a script (to be able to change the ip at will), but don't want the overhead of dns lookups, just add it to your /etc/hosts file (in windows: %WINDIR%/system32/drivers/etc/hosts).
For example, add the following to your hosts file (changing the bogus ip to your server's real ip):
123.123.123.123 mysqlserver1
Note: On linux, make sure you have "order: hosts,bind" on your /etc/host.conf file.
On a script, make the mysql connection like so:
<?
$sid = mysql_connect ("mysqlserver1", "user", "pass");
?>
Note: this sample is in php, but it can be any other programming language (just type "ping mysqlserver1" on a prompt, on your server)
And there you have it! If your server ever gets assigned a different ip, just update the hosts file with the new one (every script will work as-is, even if under different hostnames).
rui dot batista at netcabo dot pt
31-May-2006 08:42
31-May-2006 08:42
Ever wonder what "default username" is?
<?php
$link = mysql_connect() or die(mysql_error());
$result = mysql_query("SELECT SESSION_USER(), CURRENT_USER();");
$row = mysql_fetch_row($result);
echo "SESSION USER: ", $row[0], "<br>\n";
echo "CURRENT USER: ", $row[1], "<br>\n";
?>
Both are ODBC@localhost in my win2k install, so my advice for windows is:
- create a MySQL user named ODBC with no password
- add localhost to ODBC user [right-click ODBC]
- set schema previleges to ODBC@localhost
- use mysql_connect() with no parms, or do not use ;)
This turns to work also with odbc_connect:
odbc_connect("myDSN", "", "")
Aesar
09-May-2006 10:26
09-May-2006 10:26
That's an interesting discovery. I don't think it should be this way, but I think it's more a firefox/browser bug (at least, if you see it as a bug) than a fault in mysql/php.
What happens if you load the pages in two different browser screens instead of two tabs?
Mario
08-May-2006 09:21
08-May-2006 09:21
PHP (5.1.2) stores connections according to script name and remote host, apparently. If the same script is requested by the same browser in two different tabs (Firefox for this test) and requests a non-persistent connection using the same user and password, the connection will be shared.
Ran into this while testing a script for concurrent usage using "LOCK TABLES" queries... and found that one tab's script was blocking until the other finished. No blocking occurred when different machines loaded the same script at the same time. Very interesting.
25-Jun-2005 03:18
connect to mysql via named pipe under windows :
in my.ini, add this:
[mysqld]
enable-named-pipe
then connect to the server, then connect to mysql using
mysql_connect('.')
camitz at NOSPAM dot example dot com
27-Oct-2004 01:05
27-Oct-2004 01:05
A description about the problem with the password hashing and how to adress them can be found at http://dev.mysql.com/doc/mysql/en/Password_hashing.html
chaoscontrol_hq at yahoo dot com
23-Aug-2004 02:10
23-Aug-2004 02:10
In MySQL4.1 and later, the default password hashing format has changed making it incompatible with 3.x clients.
I found out mysql_connect() works on server versions >= 4.1 when your MySQL user password is blank because password authentication isn't done in that case, otherwise you need to use another connection method (e.g. mysqli).
Also if you are using old MySQL tables on a new server (i.e. the passwords are stored in the old format), then the server will use the old auth method automatically and this function should work in all cases.
Hopefully this will help someone, it had me confused for a while because some of the users on my 4.1 server could connect and some couldn't.
martinnitram at excite dot com
31-Oct-2003 02:22
31-Oct-2003 02:22
to use load data local infile function from mysql (at mysql 4.0.16, php 4.3.3), set fifth parameter of mysql_connect() to CLIENT_LOCAL_FILES(128), which based on MYSQL C API ( also mysql server support load file, check by "show variables like 'local_infile' ")
Thank 'phpweb at eden2 dot com' to point this out
phpweb at eden2 dot com
27-Jun-2003 11:55
27-Jun-2003 11:55
client_flags can be things other than MYSQL_CLIENT_COMPRESS, MYSQL_CLIENT_IGNORE_SPACE and MYSQL_CLIENT_INTERACTIVE.
I presume that mysql_connect() just passes through to the C MySQL API, which provides these constants:
#define CLIENT_LONG_PASSWORD 1 /* new more secure passwords */
#define CLIENT_FOUND_ROWS 2 /* Found instead of affected rows */
#define CLIENT_LONG_FLAG 4 /* Get all column flags */
#define CLIENT_CONNECT_WITH_DB 8 /* One can specify db on connect */
#define CLIENT_NO_SCHEMA 16 /* Don't allow database.table.column */
#define CLIENT_COMPRESS 32 /* Can use compression protocol */
#define CLIENT_ODBC 64 /* Odbc client */
#define CLIENT_LOCAL_FILES 128 /* Can use LOAD DATA LOCAL */
#define CLIENT_IGNORE_SPACE 256 /* Ignore spaces before '(' */
#define CLIENT_CHANGE_USER 512 /* Support the mysql_change_user() */
#define CLIENT_INTERACTIVE 1024 /* This is an interactive client */
#define CLIENT_SSL 2048 /* Switch to SSL after handshake */
#define CLIENT_IGNORE_SIGPIPE 4096 /* IGNORE sigpipes */
#define CLIENT_TRANSACTIONS 8192 /* Client knows about transactions */
Not all of these may work or be meaningful, but CLIENT_FOUND_ROWS does, at least.
Graham_Rule at ed dot ac dot uk
14-May-2003 08:43
14-May-2003 08:43
Another solution to the security problems of putting usernames and passwords into scripts. I haven't found this documented anywhere else so thought I'd suggest it for the online documentation. ........
Don't put passwords for mysql into scripts which may be read by any user on the machine. Instead put them into an Apache configuration file and make sure that it is not world-readable. (Apache reads its main config files as root.)
For example, add this to your httpd.conf (and chmod it to 600 or 660) then tell your apache to reload itself (apachectl graceful).
<Directory /var/www/html/mydatabase>
php_value mysql.default_user fred
php_value mysql.default_password secret
php_value mysql.default_host server.example.com
</Directory>
Then all you need in your PHP code is
$handle = mysql_connect() or die(mysql_error());
The passwords etc will only be picked up by scripts running in the named directory (or a sub-directory). The same may be done for virtualhosts etc.
If you don't want to keep reloading your Apache server then you ay test things putting the php_value directives into a (world readable) .htaccess file. (Clearly not for production use.)
If you need to debug the values that are being supplied (or not) then use this snippet:
@syslog(LOG_DEBUG, "Using user=".ini_get("mysql.default_user").
" pass=".ini_get("mysql.default_password").
" host=".ini_get("mysql.default_host"));
(This assumes that you are not running in 'safe_mode' and that you are on a unix of some sort.)
amn -at- frognet.net
11-Mar-2003 10:40
11-Mar-2003 10:40
Just in case you didn't know. You can use mysql_connect in a function to connect to a database and the connection is a super-global... meaning you can use mysql_query in other functions or in no function at all and PHP will use the connection that you opened. This is a handy bit of knowledge that helps if you have a large site with lots of scripts. If you create one function to connect to a db, and call that function in all your scripts, it makes for easier code maintenance since you only have to update one line of code to change your mysql connection instead of updating all your scripts individually.
rec0rder at lycos dot com
09-Apr-2002 11:54
09-Apr-2002 11:54
The method I use to "protect" mySQL connect is to place dbConnect.php outside the web directory.
I will create a directory:
/var/include/
Put "dbConnect.php" into
/var/include/
Edit your php.ini file to read "/var/include/" an include directory.
In your PHP now, you just have to do:
require("dbConnect.php");
nospam at code24 dot com
26-Mar-2002 03:37
26-Mar-2002 03:37
There should already be a post in here about this, but I would like to follow up on the idea that anyone can read your .inc files, which might contain username/password combos for mysql access.
There is a very simple way to block this.
If you are using Apache, just edit your httpd.conf file, and look for the following lines:
<Files ~ "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</Files>
Okay... that little chunk of text is saying that you don't want files that begin with .ht to be readable through apache. We also don't want people to see any files that end with .inc.
So, just add the following chunk of text to your httpd.conf file:
<Files ~ "\.inc(\.php)?$>
Order allow,deny
Deny from all
Satisfy All
</Files>
This will block anyone from seeing your .inc files over the web. It is much smarter than naming include files, "*.php". Use the .php extension for your code, and save .inc for actual include data, and don't worry about people reading your .inc's anymore.
Hope this helps somebody. Oh yeah... one other thing... obviously, anytime you make a change to httpd.conf (or whatever you have named your Apache config file), you must restart apache for the changes to take effect.