Say it with me now: NEVER EVER EVER EVER EVER EVER EVER EVER EVER EVER EVER enable PHP’s debugging messages on a production server. Because in the event of an error, you can give the public more information than you wanted them to know. In case you can’t read the text (sorry, but unless you have a 1680×1050 monitor, full size would require a lot of scrolling), it says:
PSOW is experiencing technical problems or is under maintenance. Please try again in a few minutes.
The following problem occured: Access denied for user ‘pso-wor_main’@’%’ to database ‘pso-wor_main’
(And yes, the window was strategically placed and sized. )
Let’s see…that’s MySQL username syntax…the user pso-wor_main can log in from any IP address. Inventively, the database table and username are the same.
Here’s where my MySQL memory gets fuzzy. I don’t think that MySQL returns the exact match in the user table. That is to say, if I have a user dumbass that can log in from anywhere (eg, ‘dumbass’@’%’), and dumbass tries to log in from a computer with the IP address 192.168.1.2, the error message would be
Access denied for user 'dumbass'@'192.168.1.2'
Access denied for user 'dumbass'@'%'
I could be wrong. Or the PSO-World guys might be trying to specify too much.
As for the user pso-wor_main being able to log in from anywhere, that might be a precaution against accidentally giving out the web server’s internal IP address. However, staight from MySQL’s online manual:
If you do not know the IP number or hostname of the machine from which you are connecting, you should put a row with
Hostcolumn value in the
usertable. After trying to connect from the client machine, use a
SELECT USER()query to see how you really did connect. (Then change the
usertable row to the actual hostname that shows up in the log. Otherwise, your system is left insecure because it allows connections from any host for the given username.)
So there you go. Even if they are on shared hosting, there’s no excuse.