My password validation is not case sensitive

Question

It is a login form with only username and password. It works well but i want my information to be case sensitive. For example my database username is : David and password :PooPoo. Although if i insert user name: daVid and password: PoOPOo it parse the form.

My code looks like this:

<?php 
    session_start();
    if (isset($_SESSION["manager"])) {
        header("location: index.php"); 
        exit();
    }
?>
<?php 
    if (isset($_POST["username"]) && isset($_POST["password"])) {

        $manager = preg_replace('#[^A-Za-z0-9]#i', '', $_POST["username"]); 
        $password = preg_replace('#[^A-Za-z0-9]#i', '', $_POST["password"]); 
        include "../storescripts/connect_to_mysql.php"; 
        $sql = mysql_query("SELECT id FROM admin WHERE username='$manager' AND password='$password' LIMIT 1"); // query the person
        $existCount = mysql_num_rows($sql); // count the row nums

        if ($existCount == 1) { // evaluate the count
             while($row = mysql_fetch_array($sql)){ 
                 $id = $row["id"];
             }
             $_SESSION["id"] = $id;
             $_SESSION["manager"] = $manager;
             $_SESSION["password"] = $password;
             header("location: index.php");
             exit();     
        }else{
            print '<script type="text/javascript">'; 
            print 'alert("wrong info")'; 
            print '</script>'; 
        }            
    }
?>

My validation script

<script type="text/javascript" language="javascript"> 
    function validateMyForm ( ) { 
        var isValid = true;
        if ( document.adminlogin.username.value == "" ) { 
            alert ( "Please enter your username" ); 
            isValid = false;
        } else if ( document.adminlogin.password.value == "" ) { 
            alert ( "Please enter password" ); 
            isValid = false;            
        }
        return isValid;
    }
</script>

Where is my error please?

Excellent password choice... but why are you storing it as clear text in your db? — FatalError, Sep 07 '13 at 17:43
Duplicate: http://stackoverflow.com/questions/5629111/how-can-i-make-sql-case-sensitive-string-comparison-on-mysql — Ryan Wheale, Sep 07 '13 at 17:52
Your `username` and `password` columns are case insensitive, or they inherit their encoding from the table. Check if the encoding you are using ends with `ci`. — Sergiu Paraschiv, Sep 07 '13 at 17:52
Passwords should never be stored plaintext, just store hashes of them. In PHP there is a function [password_hash](http://php.net/manual/en/function.password-hash.php) just for generating secure hashes. Use this function with the entered unchanged password, and your passwords will be case sensitive. — martinstoeckli, Sep 08 '13 at 11:40

score 0 · Answer 1 · edited Nov 27 '17 at 20:46

I think the error is worrying about case sensitivity in the first place. Insisting that passwords be case sensitive is usually overstated. Yes, it adds strength to a password of a given length, but so does increasing that length. In both cases the password becomes a bit harder to remember, but the mixed case password is probably easier to spy on.

Leaving the caps lock on is so common that many sign-in screens (e.g., Windows) now provide some kink of warning. Rejecting a password because the caps lock is on gives a grand total of 1 extra bit of entropy out of a typical 40 to 80 bits, but in return it gives the disgruntled co-worker next to you one more chance to see you type it in. If you are typing in 'PooPoo' (2 letters next to each other on the keyboard) they might even be able to catch this one just by listening to keyboard clicks or looking for finger smudges on a touch screen.

Mixed case passwords and the inconvenience it creates for users make most of us slow down and become very deliberate in the way we type. I have seen many touch typists resort to the 2-finger approach because of the awkwardness of toggling between cases (even worse on most phones), making it super easy to spy on.

score -3 · Answer 2 · edited Jun 20 '20 at 09:12

-3

Well you should use md5() function to store you user's password (and do the same on the validation). Since md5() is case sensitive by itself it will automatically do the job.

md5()

With this you'll be solving your case problem, and making your password storing safer

edited Jun 20 '20 at 09:12

Community

1
1

answered Sep 07 '13 at 17:52

Gonzalo Acosta

135
1
13

That would be a big fail in using md5. It's case sensitive so two hashes differing only by one upper/lowercase letter would represent a collision. One point of choosing between hashing algorithms is to avoid collisions. Also that's not his problem. He won't solve anything. As I said, two hashes differing only by the case of a character would be treated by the database as equal. – Sergiu Paraschiv Sep 07 '13 at 17:55
1

And another - because MD5 should not be used for passwords. Use bcrypt or pbkdf2 – JimL Sep 07 '13 at 17:56
@SergiuParaschiv: What you're saying makes no sense. The output of the MD5 function is a hex string. It doesn't contain multiple cases of characters at all. – Sep 07 '13 at 17:57
@SergiuParaschiv The result of md5 is usually converted to text as the hex encoding of the digest. Whether uppercase or lowercase hex digits are used is irrelevant. I think the point here is that the input to the hash is case sensitive, in that different casings of the same password will have different hashes. That said, md5 is not a great choice since it's been compromised. – FatalError Sep 07 '13 at 17:58
I know upper/lowercase make the hash change, that's why i suggested that. He said "It works well but i want my information to be case sensitive", and since for security reasons it would be better for him to have his passwords encrypted, I suggested it, but I don't actually understand why doesn't this solve his problem. Can you explain? – Gonzalo Acosta Sep 07 '13 at 17:59
Yeah, did you read his answer? "Since md5() is case sensitive". By his words his own solution would be wrong. I think his answer makes no sense. You should have said "Since md5() generates different hashes for different cases". – Sergiu Paraschiv Sep 07 '13 at 18:01
I was reffering to the fact that "foo" produces a different output that "FoO"... I'm sorry If i said it wrong. – Gonzalo Acosta Sep 07 '13 at 18:02
I'm sorry if I missunderstood his problem, I alawys used that to store and retrive passwords (in a case sensitive way). Maybe it's just not the right way, looks like I've learned something today too – Gonzalo Acosta Sep 07 '13 at 18:06
1

@GonzaloAcosta - Using MD5 and storing the hash (however it is encoded), would indeed solve the OP's problem, you are right there. Using MD5 to hash passwords is another problem though, MD5 is ways too fast to hash passwords, nowadays you can calculate about [8 Giga](http://hashcat.net/oclhashcat-lite/#performance) hashes per second with common hardware. That's why one should use a slow key-derivation function like BCrypt to hash passwords. – martinstoeckli Sep 08 '13 at 15:15
@martinstoeckli Wow that's a pretty useful table. Always trusted the fact of MD5 being impossible to turn backwards with simple methods. Thanks a lot for the info, I guess I'll start using it for sure. – Gonzalo Acosta Sep 08 '13 at 22:13

My password validation is not case sensitive

2 Answers2