Page 1 of 1

Making a login Case Sensitive

Posted: Sat Mar 18, 2006 6:20 pm
by sampage
Hi Everyone,

I'm new to the forum and am still a basic PHP programmer.

How do I make sure when the PHP script matches the username compared to the username in the database it is case sensitive. At the moment it matches anything which later on causes problems with the Sessions. I need to create an exact match.

Any advice I would be really greatful for!

Posted: Sat Mar 18, 2006 6:22 pm
by feyd
That would depend on how you're doing the match. The quick and dirty way when dealing with databases (that can do it) is set the field to BINARY.

Posted: Sat Mar 18, 2006 6:28 pm
by Buddha443556
Are you doing the comparison in PHP? Or using a database query? Some code might help.

Posted: Sat Mar 18, 2006 6:32 pm
by sampage
feyd | Please use

Code: Select all

and

Code: Select all

tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


Sorry I should of explained further.

The user enters a username in a form. This then posts to a logincheck.php page and runs this algorithm.

Code: Select all

$username = $_POST['usernm']; /* Output username and password into simple variables */
$password = $_POST['userpw'];
	
	// strip away any dangerous tags
$username=strip_tags($username);
$password=strip_tags($password);

// add slashes to stop hacking
$username=addslashes($username);
$password=addslashes($password);

// hash password into sha1
$password = sha1($password);

/* SQL statement to query the database */
$query= ("SELECT user_name, user_pass, user_number FROM usr_table WHERE user_name = '$username' AND user_pass = '$password'");
/* query the database */
$result = mysql_query($query);


/* Allow access if a matching record was found, else deny access. */

if (mysql_fetch_row($result))
{ 
  $_SESSION["sessionusername"] = "$username";
  $_SESSION["sessionuserpass"] = "$userpass";
  $_SESSION["sessionlogged_in"] = "true";
  
  // Update last login information. 
  
  $sql = mysql_query("UPDATE usr_table SET user_lastlogin = now() WHERE user_name='$username'") 
  or die (mysql_error()); 
	
 include 'complete.php';

}
Hope that sheds more light on the problem! :)


feyd | Please use

Code: Select all

and

Code: Select all

tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]

Posted: Sun Mar 19, 2006 5:12 am
by sampage
Sorry for not posting the code correctly, I'll make not to do it properly from now on.

Does anyone have any idea hoe to make the username match case sensitive?

Posted: Sun Mar 19, 2006 6:26 am
by Buddha443556
BINARY as Feyd said. You'll need to use the BINARY operator in the query (type casting) or change your database table making the column BINARY (this means different things in different versions of MySQL DB).

http://dev.mysql.com/doc/refman/4.1/en/ ... ry-op.html
http://dev.mysql.com/doc/refman/4.1/en/ ... inary.html

Posted: Sun Mar 19, 2006 6:30 am
by sampage
Thank you very much, works perfectly and much easier than I predicted! :)

Posted: Sun Mar 19, 2006 10:40 am
by John Cartwright
FYI, addslashes() is not as effective as mysql_real_escape_string(), considering the mysql_* function escapes more than just quotes..

Posted: Sun Mar 19, 2006 7:18 pm
by duk
its a good pratice having a case sensitive login ??

in my case i use strtolower and then check in database... for me is better you can have just one duk, and not Duk or dUk, duK, dUK etc...

Posted: Sun Mar 19, 2006 8:06 pm
by Roja
duk wrote:its a good pratice having a case sensitive login ??

in my case i use strtolower and then check in database... for me is better you can have just one duk, and not Duk or dUk, duK, dUK etc...
It all depends on the application, and your goals. Having case sensitivity increases the number of potential accounts, which can be ideal (think of AIM or gmail logins!). Of course, as you mention, it can also confuse the situation.

It all depends. :)

Posted: Mon Mar 20, 2006 8:15 am
by sampage
My account login is different to the user name. By informing people upon registration that the login name is case sensitive I hope it encourages people to actively remember there login names etc...

Still not sure, I'll see how it goes and report back!

Posted: Mon Mar 20, 2006 10:24 am
by John Cartwright
Typically number of accounts shouldn't be a concern unless have an user base like gmail. If you are going to do it remind them when they are loging in that they name and password are case sensitive, atleast.

Posted: Mon Mar 20, 2006 1:45 pm
by Buddha443556
duk wrote:its a good pratice having a case sensitive login ??

in my case i use strtolower and then check in database... for me is better you can have just one duk, and not Duk or dUk, duK, dUK etc...
This isn't only about case sensitivity because, like PHP, MySQL DB also converts string to numbers during comparisons. So it's kind of important that either DB column or the query take that into account when comparing passwords or usernames.

Encrypt your passwords

Posted: Mon Mar 20, 2006 3:17 pm
by tomprogers
In truth, you ought to encrypt passwords before storing them in a database. One-way hashing (like MD5 or SHA1) is case-sensitive.