• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1310
  • Last Modified:

Case sensitive login

I have a PHP login code with a MySQL backend.  Unfortunately the original developer has moved on and I need to make a change.  The username is the email address but currently the field is case sensitive.  I need to remove this error checking so that its not.  I cannot find anywhere any reference to error checking that makes it case sensitive.  I am starting to wonder is it case sensitive by default?  Can you shed some light on this and offer some suggestions to fix this?
0
pda4me
Asked:
pda4me
  • 5
  • 5
  • 2
  • +1
3 Solutions
 
RoonaanCommented:
you could change your query to use

$query = 'SELECT .... FROM ... WHERE lower(emailFieldName) = "'.mysql_real_escape_string(strtolower($email)).'"';

That would probably be the easiest approach.

Mysql can be case sensitive by default. If my memory serves me well it depends on the collation settings of your tables and fields.

-r-
0
 
pda4meAuthor Commented:
The login form does post to the following page, but I do not see where it checks for case sensitivity?

<?
      session_start();
      include "mydb.php";
      $myConn            = dbConnect();
      if(!myConn)      header("Location: ../login.php?errCode=-3");
      
      $username      = $_REQUEST['username_txt'];
      $passcode      = $_REQUEST['password_txt'];

      //setcookie("logStatus","");setcookie("logStatus","Logged");
      $sql="";
      $sql="SELECT * FROM tbl_clients
                  WHERE email = '$username'";
                  
      $logResult      = mysql_query($sql,$myConn);
      if(mysql_num_rows($logResult)>0){
            $uMatch=0;
            while($userDet = mysql_fetch_array($logResult)){
                   $user=$userDet['email'];
                   $pass=$userDet['passwords'];
                   if($user==$username && $pass==$passcode){
                         $uMatch            =1;
                        $clientid      =$userDet['clientid'];
                        break;
                   }
            }
            if($uMatch==1){
                  $_SESSION['clientid']=$clientid;
                  $_SESSION['uemail']=$user;
                  //print_r ($_COOKIE);
                  header("Location: ../profile.php");
            }else{
                  header("Location: ../login.php?errCode=-2");
            }            
      }else{
            header("Location: ../login.php?errCode=-1");
      }
?>
0
 
RoonaanCommented:
Note that your query is a possible mysql sql injection vulnerability.
Please use mysql_real_escape_string.

      $sql="SELECT * FROM tbl_clients
                  WHERE email = '".mysql_real_escape_string($username)."'";

0
Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

 
pda4meAuthor Commented:
Thanks Roonaan!
I am very new at this, can you provide an example of the code I need to alter based on the sample I provided that would fix the case sensitive issue and sql injection?

0
 
RoonaanCommented:
     $sql="SELECT * FROM tbl_clients
                  WHERE lowe(email) = '".mysql_real_escape_string(strtolower($username))."'";

Kind regards

-r-
0
 
pda4meAuthor Commented:
Hmmm...okay, I updated that line and have a test account called test@gmail.com

I tried logging in as Test@gmail.com with the T uppercase and its still not letting me in?  
0
 
RoonaanCommented:
What does echo $sql provide you with (strip out any password part when posting)
0
 
pda4meAuthor Commented:
sorry Roonaan, can you be more specific on what to remove, I do not understand?
0
 
RoonaanCommented:
Sorry for being unclear.

I just was wondering what your $sql variable contains.

However, when posting the query on EE, please make sure to not have any password details in your posting.

Kind regards

-r-
0
 
MasonWolfCommented:
it's right here:
if($user==$username && $pass==$passcode)

Just change to:
if(strtolower($user)==strtolower($username) && $pass==$passcode)
0
 
jmcfeedCommented:
Hello,

Roonaan's replacement code has an error. This is the fixed one:

     $sql="SELECT * FROM tbl_clients
                  WHERE lower(email) = '".mysql_real_escape_string(strtolower($username))."'";

Hope this will fix your issue.

Regards,

jmcfeed
0
 
MasonWolfCommented:
I don't think mysql searches are case-sensitive on any version of mysql, but you might be able to be a little more certain by using 'LIKE' instead of '='.

PHP is where the case-sensitivity is introduced, and that's why you need to fix your conditional statement.

As for Roonan's point about security, he's absolutely right. See http://xkcd.com/327/ to learn why.
0
 
pda4meAuthor Commented:
Thanks everyone for your help!
0

Featured Post

Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

  • 5
  • 5
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now