mysql> grant all on *.* to 'a'@'%' identified by a;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'a' at line 1
mysql> grant all on *.* to 'a'@'%' identified by 'a';
Query OK, 0 rows affected (0.00 sec)

mysql> show grants for 'a'@'%';
| Grants for a@%                                                                                            |
1 row in set (0.00 sec)

mysql> exit

[root@localhost ~]# mysql -h localhost -u a -p
Enter password: 
ERROR 1045 (28000): Access denied for user 'a'@'localhost' (using password: YES)
[root@localhost ~]# mysql -h -u a -p
Enter password: 
ERROR 1045 (28000): Access denied for user 'a'@'localhost' (using password: YES)
[root@localhost ~]# mysql -u a -p
Enter password: 
ERROR 1045 (28000): Access denied for user 'a'@'localhost' (using password: YES)
[root@localhost ~]# mysql -u a
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 20
Server version: 5.5.17 MySQL Community Server (GPL)

Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> status
mysql  Ver 14.14 Distrib 5.5.17, for Linux (x86_64) using readline 5.1

Connection id:      20
Current database:   
Current user:       a@localhost
SSL:            Not in use
Current pager:      stdout
Using outfile:      ''
Using delimiter:    ;
Server version:     5.5.17 MySQL Community Server (GPL)
Protocol version:   10
Connection:     Localhost via UNIX socket
Server characterset:    utf8
Db     characterset:    utf8
Client characterset:    utf8
Conn.  characterset:    utf8
UNIX socket:        /var/lib/mysql/mysql.sock
Uptime:         15 days 15 hours 20 min 18 sec

Threads: 1  Questions: 40  Slow queries: 0  Opens: 41  Flush tables: 1  Open tables: 4  Queries per second avg: 0.000




[root@localhost ~]# nmap localhost

Starting Nmap 4.11 ( ) at 2012-01-18 07:35 CST
Interesting ports on localhost.localdomain (
Not shown: 1674 closed ports
22/tcp   open  ssh
25/tcp   open  smtp
111/tcp  open  rpcbind
631/tcp  open  ipp
840/tcp  open  unknown
3306/tcp open  mysql

Nmap finished: 1 IP address (1 host up) scanned in 0.064 seconds
[root@localhost ~]# 






根据MySQL 5.0 Certification Study Guide


There are two stages of client access control:

In the first stage, a client attempts to connect and the server either
accepts or rejects the connection. For the attempt to succeed, some
entry in the user table must match the host from which the client
connects, the username, and the password.

In the second stage (which occurs only if a client has already
connected sucessfully), the server checks every query it receives from
the client to see whether the client has sufficient privileges to
execute it.

The server matches a client against entries in the grant tables based
on the host from which the client connects and the user the client
provides. However, it’s possible for more than one record to match:

Host values in grant tables may be specified as patterns contains
wildcard values. If a grant table contains entries from,,, and %, all of them
match a client who connects from

Patterns are not allowed for the User values in grant table entries,
but a username may be given as an empty string to specify an anonymous
user. The empty string matches any username and thus effectively acts
as a wildcard.

When the Host and the User values in more than one user table record
match a client, the server must decide which one to use. It does this
by sorting records with the most specific Host and User column values
first, and choosing the matching record that occurs first in the
sorted list, Sorting take place as follows:

In the Host Column, literal values such as localhost,,
and sort ahead of values such as
that have pattern characters in them. Pattern values are sorted
according to how specific they are. For example, is
more specific than, which is more specific than %.

In the User column, non-blank usernames sort ahead of blank usernames.
That is, non-anonymous users sort ahead of anonymous users.

The server performs this sorting when it starts. It reads the grant
tables into memory, sorts them, and uses the in-memory copies for
access control.


关于你如何登录,只有mysql -u一个工作.返回并再次登录并运行这些命令

SELECT user,host,password FROM mysql.user;



这只是一个猜测,但我怀疑mysql -u a通过localhost连接,因为当未指定连接协议时,默认是通过套接字文件连接. mysql.user中可能存在允许匿名localhost连接的条目.


SELECT user,host,password FROM mysql.user WHERE user='' AND host='localhost';

如果你回来没有密码的行,这完全解释了为什么mysq -u a有效.

更新2012-01-19 11:12 EDT

Craig Efrein提出了一个有趣的问题:如果mysql.user表中存在两个相同的用户名,一个有密码而另一个没有,这是否意味着MySQL在不使用密码时拒绝验证?


请注意,mysql.user的主键是host,user.没有其他索引.这允许多次出现用户名.每次出现都可以有不同的密码或没有密码.这允许用户’dbuser’在本地登录(dbuser @ localhost),使用无密码和同一用户从给定网络中的另一个服务器(dbuser@’′)登录,并使用密码“pass1”和该用户登录使用远程密码(例如’pass2′)从任何地方(dbuser @’%’)远程访问.


这就是MySQL 5.0 Certification Study Guide says on Page 498 Paragraph 6在其要点中介绍如何清理身份验证过程的原因:

On Unix, MySQL comes with a mysql_secure_installation script that can
perform several helpful security-related operations on your
installation. The script has the following capabilities:

  • Set a password for the root accounts
  • Remove any remotely accessible root accounts.
  • Remove the anonymous user accounts. This improves security because
    it prevents the possibility of anyone connecting to the MySQL server
    as root from a remote host. The results is that anyone who wants to
    connect as root must first be able to log in on the server host, which
    provides an additional barrier against attack.
  • Remove the test database (If you remove the anonymous accounts, you
    might also want to remove the test database to which they have

转载注明原文:MySQL错误:用户’a’@’localhost’拒绝访问(使用密码:YES) - 代码日志