4

I made a login check script that checks if username and password match an account that is set in the database. All works fine but it isn't case sensitive which it really should be! What can I do to make this script also check for uppercase/lowercase? For example: I have an account with username: AdMin password: My43sGG. If I would enter admin and my43sgg in the login fields it would also work.

my script:

<?php

// connect to the database
include("config.php");

// username and password sent from form 
$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword']; 

// To protect MySQL injection
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT * FROM " .$members. " WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);

// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){

// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword"); 
header("location:index.php");
}
else {
?>
John Woo
  • 258,903
  • 69
  • 498
  • 492
Frank Kluytmans
  • 533
  • 2
  • 10
  • 25
  • 5
    **Don't store passwords in plaintext!** (Or use the old `mysql_` functions, for that matter.) Look into PHPass for password storage and PDO/mysqli for database access. – DCoder May 16 '13 at 07:42

4 Answers4

7

use BINARY

WHERE BINARY username = BINARY '$myusername' AND
      BINARY password = BINARY '$mypassword'

As a sidenote, the query is vulnerable with SQL Injection if the value(s) of the variables came from the outside. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.

Community
  • 1
  • 1
John Woo
  • 258,903
  • 69
  • 498
  • 492
  • I rewrote my query like this: $sql="SELECT * FROM " .$members. " WHERE BINARY username= BINARY '$myusername' and BINARY password= BINARY '$mypassword'"; but that doesn't work.. What am I doing wrong? – Frank Kluytmans May 16 '13 at 07:53
  • I was able to work out a solution based on your answer. Thank you! – Frank Kluytmans May 16 '13 at 08:23
3

Not relevant to the question, but it would be better if you AES encrypted the password with itself as the shared secret and looked up the AES encrypted string in the database....I would imagine that would also resolve the issue as well though as they would differ if encrypted with a different case

Matt Bucci
  • 2,100
  • 2
  • 16
  • 22
0

You can write a custom function to validate it like this

function isPartUppercase($string) {
if(preg_match("/[A-Z]/", $string)===0) {
    return true;
}
return false;
}
chandresh_cool
  • 11,753
  • 3
  • 30
  • 45
-2

Try this one

<?php 
session_start(); 
$errorMessage = ''; 
if (isset($_POST['txtUserId']) && isset($_POST['txtPassword'])) { 

    $userId   = $_POST['txtUserId']; 
    $password = ($_POST['txtPassword']); 
     require_once("db_fns.php");
    db_connect();
    $sql = "SELECT *  
            FROM adminuser
            WHERE username = '$userId' AND password = '$password'"; 

    $result = mysql_query($sql) or die('Query failed. ' . mysql_error());  

    $row=mysql_fetch_array($result);
    $admin=$row['username'];
   // print $admin;
    if (mysql_num_rows($result) == 1) { 

        $_SESSION['db_is_logged_in'] = true; 

        $_SESSION['admin']=$admin;

        header('Location: main.php'); 
        exit; 
    } else { 
        $errorMessage = 'Sorry, wrong user id / password'; 
    } 

} 
?>
HamZa
  • 14,671
  • 11
  • 54
  • 75
imran001
  • 5
  • 6