Case sensitive login

I have a PHP login code with a MySQL backend.  Unfortunately the original developer has moved on and I need to make a change.  The username is the email address but currently the field is case sensitive.  I need to remove this error checking so that its not.  I cannot find anywhere any reference to error checking that makes it case sensitive.  I am starting to wonder is it case sensitive by default?  Can you shed some light on this and offer some suggestions to fix this?
pda4meAsked:
Who is Participating?
 
RoonaanConnect With a Mentor Commented:
     $sql="SELECT * FROM tbl_clients
                  WHERE lowe(email) = '".mysql_real_escape_string(strtolower($username))."'";

Kind regards

-r-
0
 
RoonaanCommented:
you could change your query to use

$query = 'SELECT .... FROM ... WHERE lower(emailFieldName) = "'.mysql_real_escape_string(strtolower($email)).'"';

That would probably be the easiest approach.

Mysql can be case sensitive by default. If my memory serves me well it depends on the collation settings of your tables and fields.

-r-
0
 
pda4meAuthor Commented:
The login form does post to the following page, but I do not see where it checks for case sensitivity?

<?
      session_start();
      include "mydb.php";
      $myConn            = dbConnect();
      if(!myConn)      header("Location: ../login.php?errCode=-3");
      
      $username      = $_REQUEST['username_txt'];
      $passcode      = $_REQUEST['password_txt'];

      //setcookie("logStatus","");setcookie("logStatus","Logged");
      $sql="";
      $sql="SELECT * FROM tbl_clients
                  WHERE email = '$username'";
                  
      $logResult      = mysql_query($sql,$myConn);
      if(mysql_num_rows($logResult)>0){
            $uMatch=0;
            while($userDet = mysql_fetch_array($logResult)){
                   $user=$userDet['email'];
                   $pass=$userDet['passwords'];
                   if($user==$username && $pass==$passcode){
                         $uMatch            =1;
                        $clientid      =$userDet['clientid'];
                        break;
                   }
            }
            if($uMatch==1){
                  $_SESSION['clientid']=$clientid;
                  $_SESSION['uemail']=$user;
                  //print_r ($_COOKIE);
                  header("Location: ../profile.php");
            }else{
                  header("Location: ../login.php?errCode=-2");
            }            
      }else{
            header("Location: ../login.php?errCode=-1");
      }
?>
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
RoonaanCommented:
Note that your query is a possible mysql sql injection vulnerability.
Please use mysql_real_escape_string.

      $sql="SELECT * FROM tbl_clients
                  WHERE email = '".mysql_real_escape_string($username)."'";

0
 
pda4meAuthor Commented:
Thanks Roonaan!
I am very new at this, can you provide an example of the code I need to alter based on the sample I provided that would fix the case sensitive issue and sql injection?

0
 
pda4meAuthor Commented:
Hmmm...okay, I updated that line and have a test account called test@gmail.com

I tried logging in as Test@gmail.com with the T uppercase and its still not letting me in?  
0
 
RoonaanCommented:
What does echo $sql provide you with (strip out any password part when posting)
0
 
pda4meAuthor Commented:
sorry Roonaan, can you be more specific on what to remove, I do not understand?
0
 
RoonaanCommented:
Sorry for being unclear.

I just was wondering what your $sql variable contains.

However, when posting the query on EE, please make sure to not have any password details in your posting.

Kind regards

-r-
0
 
MasonWolfConnect With a Mentor Commented:
it's right here:
if($user==$username && $pass==$passcode)

Just change to:
if(strtolower($user)==strtolower($username) && $pass==$passcode)
0
 
jmcfeedConnect With a Mentor Commented:
Hello,

Roonaan's replacement code has an error. This is the fixed one:

     $sql="SELECT * FROM tbl_clients
                  WHERE lower(email) = '".mysql_real_escape_string(strtolower($username))."'";

Hope this will fix your issue.

Regards,

jmcfeed
0
 
MasonWolfCommented:
I don't think mysql searches are case-sensitive on any version of mysql, but you might be able to be a little more certain by using 'LIKE' instead of '='.

PHP is where the case-sensitivity is introduced, and that's why you need to fix your conditional statement.

As for Roonan's point about security, he's absolutely right. See http://xkcd.com/327/ to learn why.
0
 
pda4meAuthor Commented:
Thanks everyone for your help!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.