Password from database

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
shafiq2626
Forum Commoner
Posts: 88
Joined: Wed Mar 04, 2009 1:54 am
Location: Lahore
Contact:

Password from database

Post by shafiq2626 »

Hi !
I have a password value PPssPP in password field. PP are in upper case.
when i try to log in then i give ppsspp all words in lowercase but this is accepted by php code. it should be check that actual value have Upper case words also.
can anyone help to solve this matter.
thanks
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Re: Password from database

Post by s.dot »

MySQL does not compare cases if you select "WHERE `password` = '$password'" in the query. If you hash the password it will be case sensitive.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: Password from database

Post by flying_circus »

s.dot wrote:MySQL does not compare cases if you select "WHERE `password` = '$password'" in the query.
It does if the datatype is binary :)
User avatar
twinedev
Forum Regular
Posts: 984
Joined: Tue Sep 28, 2010 11:41 am
Location: Columbus, Ohio

Re: Password from database

Post by twinedev »

shafiq2626
Forum Commoner
Posts: 88
Joined: Wed Mar 04, 2009 1:54 am
Location: Lahore
Contact:

Re: Password from database

Post by shafiq2626 »

s.dot wrote:MySQL does not compare cases if you select "WHERE `password` = '$password'" in the query. If you hash the password it will be case sensitive.
how set hash like this '/$password/'
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: Password from database

Post by John Cartwright »

Case sensitivity is determined by the character set chosen. Anything that ends in _ci is case insensitive.
shafiq2626
Forum Commoner
Posts: 88
Joined: Wed Mar 04, 2009 1:54 am
Location: Lahore
Contact:

Re: Password from database

Post by shafiq2626 »

Hi!
Password will be accepted in case sensitive at that time when you make log in table then at the time of making password field Collection will be latin1_general_cs.
this is best solution.
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: Password from database

Post by flying_circus »

shafiq2626 wrote:Hi!
Password will be accepted in case sensitive at that time when you make log in table then at the time of making password field Collection will be latin1_general_cs.
this is best solution.
The best solution is to do what s.dot suggested and hash your passwords. I can't tell from the information that you've given us, but storing passwords in plain text is not a bright idea. Use a strong algorithm such as sha512, a random salt, and preferably a pepper.
Post Reply