My password accept uppercase and lowercase letter

Question

I did a register and login form but i got a problem which was my password accept both lower case letter and upper case letter. Can anyone tell me how to fix this issue. This is my confirm register code below. Is it compulsory to hash password before it works. I am a newbie in php

<?php 
if(isset($_POST['register'])){
    $username = trim(mysqli_real_escape_string($connection, $_POST['username']));
    $lastname = trim(mysqli_real_escape_string($connection, $_POST['lastname']));
    $email = trim(mysqli_real_escape_string($connection, $_POST['email']));
    $password = trim(mysqli_real_escape_string($connection, $_POST['password']));
    $password1 = trim(mysqli_real_escape_string($connection, $_POST['password1']));
$sql = "SELECT email FROM users WHERE email='$email'" ;
$result = mysqli_query($connection, $sql) or die($mysqli->error());
if ( $result->num_rows > 0 ) {
 echo'
        <script type = "text/javascript">
             alert("Email Address alrady exists ")
            window.location.href = "register.php"
        </script> '; 
        exit();
}
else {                  
if ($password === $password1){
     // add the user  if password match 
    $query = "INSERT INTO users(firstname, lastname, email, pass)
                VALUES ('{$username}','{$lastname}', '{$email}', '{$password}') ";
     $runNewUser = mysqli_query($connection, $query);
     if($runNewUser){
         echo'
             <script type = "text/javascript">
            window.location.href = "getmessage.php"
             </script>';        
     }else{
         echo'
             <script type = "text/javascript">
             alert("Error creating user. Please try again");
             </script>';
     }
}else{
    // trigger error if password do not match
    echo'
     <script type = "text/javascript">
        alert("Password do not match. Please try again ");
     </script>
     ';
    }
}   
}
?>

while this is my confirm login code below

<?php 
if(isset($_POST['ulogin'])){
    $email    = trim(mysqli_real_escape_string($connection, $_POST['email']));
    $pass     = trim(mysqli_real_escape_string($connection, $_POST['pass']));
    $checkUser = "
                SELECT * FROM users
                WHERE email = '{$email}' 
                AND pass = '{$pass}'
            ";
    $runCheck = mysqli_query($connection, $checkUser);
    if(mysqli_num_rows($runCheck) == 1){
        $foundUser = mysqli_fetch_array($runCheck);
        $_SESSION['uid'] = $foundUser['id'];
        $_SESSION['uname'] = $foundUser['firstname'];
        $_SESSION['email'] = $foundUser['email'];
        echo'
        <script type = "text/javascript">
            window.location.href = "dailymessage.php";
        </script>
        ';      
    }else{
        echo'
            <script type = "text/javascript">
                alert("Email address / Password incorect. Please try again");   
            </script>
            ';          
    }   
}
?>

Any help will be appreciated.

MySQL treats strings as case insensitive by default, which is just one reason why you should never store plain text passwords. Instead use [`password_hash()`](http://us3.php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://us3.php.net/manual/en/function.password-verify.php). If you're using a version of PHP prior to 5.5, do **not** use MD5 or SHA1 to hash passwords. Instead you can use [this compatibility pack](https://github.com/ircmaxell/password_compat). — Alex Howansky, Aug 09 '18 at 20:30
Do you mean your password matches regardless of the case, or you want to require only lowercase/uppercase characters for passwords? You should be hashing, hashes will evaluate differently for upper/lower. — user3783243, Aug 09 '18 at 20:31
Also, don't rely on the `real_escape_string()` functions to prevent SQL injection, [they alone are not sufficient](https://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string). You should use prepared statements with bound parameters, via either [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php). [**This post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has some good examples. — Alex Howansky, Aug 09 '18 at 20:31
Alex Howansky i have hashed all password using password_hash() but when i tried to login it echo email/password incorrect despite been correct should i change my confirm login code above — Ginger, Aug 10 '18 at 15:11

score 0 · Answer 1 · answered Aug 09 '18 at 21:36

By default,mysql is case insensitive. After the following line if ($password === $password1){ if the condition returns true (which meanq that if the 2 password matches,you should hash you $password like this $hash = password_hash($password, PASSWORD_DEFAULT); and in this line VALUES ('{$username}','{$lastname}', '{$email}', '{$password}') "; use the $hash variable which container your hashed password like this VALUES ('{$username}','{$lastname}', '{$email}', '{$hash}') "; .The second parameter of the hashing function PASSWORD_DEFAULT is the hashing algorithm.The default algorithm is currently bcrypt, but a stronger algorithm may be added as the default later at some point in the future and may generate a larger string. If you are using PASSWORD_DEFAULT in your projects, be sure to store the hash in a column that’s capacity is beyond 60 characters. Setting the column size to 255 might be a good choice. You could also use PASSWORD_BCRYPT as the second parameter. In this case the result will always be 60 characters long.So for your login when you provide password,you should compare it with it hashed version which is into the datase.So you first put the POST variable in a variable$password and then you create another variable $hash = password_hash($password, PASSWORD_DEFAULT); to generate the hashed version and for checking .Remember that you store the hashes in a database, but it’s the plain password that you get when a user logs in. The password_verify() function takes a plain password and the hashed string as its two arguments. It returns true if the hash matches the specified password.

if (password_verify($password,     $hash)) {
    // Success!
}
else {
    // Invalid credentials
}

For more informations you can read this topic

jochri3 i have updated the confirm register page by hashing my password but when i try to login using the email address and password it gave me error email/password incorrect despite i typed the right email and password — Ginger, Aug 10 '18 at 15:05

My password accept uppercase and lowercase letter

1 Answers1