okat, im the creator and owner of Broken Saintz online community, and i've was doing an image upload add-on when i came across a problem.

The image directory creator script creates the users directory when they register, but when they login they can login using and variant of their username, meaning if they registered with Frank, they can login with frAnk and it will still work, i want to make it so the lgin is case sensitive. I've looked all over the net trying to find answers and the one answer i see the most is use the BINARY function.

i tried that and heres the results:
using username Boo - worked correctly
using Mindless Puppetz - did not work
adding to the script a character replacement so that spaces turn to underscores:
Mindless_Puppetz - didn't work
Boo - still worked (of course)

i dont know if using binary has a problem with iregular characters or what, but i cannot seem to come up with a solution to the problem.

if anyone knows a way to make the login case sensitive, please let me know, i'm somewhat experience in PHP and MySQL.

here's my code:

<?php
//check for required fields from the form
if ((!$_POST[username]) || (!$_POST[password])) {
header("Location: login.php");
exit;
}

//connect to server and select database
$conn = mysql_connect("localhost", "username", "password") or die(mysql_error());

mysql_select_db("database", $conn) or die(mysql_error());

$username = $_POST[username];

//create and issue the query
$sql = "SELECT fname, lname, admin, is_user FROM users WHERE username = ('$_POST[username]') AND password = password('$_POST[password]')";

$result = mysql_query($sql,$conn) or die(mysql_error());


the code continues, but the rest is cookies and session stuff that doesnt matter.
Please help, i could really use it.

-Mindless Spider-

make the username field in the database binary

such as:

ALTER TABLE users CHANGE username username VARCHAR (25) BINARY not null

After i make the field binary, do i need to add anything to the scripting? cuz it still only works with Boo and not Mindless Puppetz

<?php
//check for required fields from the form
if ((!$_POST[username]) || (!$_POST[password])) {
header("Location: login.php");
exit;
}

//connect to server and select database
$conn = mysql_connect("localhost", "username", "password") or die(mysql_error());

mysql_select_db("database", $conn) or die(mysql_error());

$username = $_POST['username'];
$password = $_POST['password'];

//create and issue the query
$sql = "SELECT fname, lname, username, admin, is_user FROM users WHERE username = $username AND password = $password";

$result = mysql_fetch_array(mysql_query($sql,$conn) or die(mysql_error()), MYSQL_ASSOC);
if(strcasecmp($result['username'], $username) == 0)
{
//what to do if cases don't match.
}
else
{
//what to do if they do match.
}


?>

That should work ;-)

<?php
//check for required fields from the form
if ((!$_POST[username]) || (!$_POST[password])) {
header("Location: login.php");
exit;
}

//connect to server and select database
$conn = mysql_connect("*****", "*****", "*****") or die(mysql_error());

mysql_select_db("*****", $conn) or die(mysql_error());

$username = $_POST['username'];
$password = $_POST['password']; //ADDED YOUR EDIT

//create and issue the query
$sql = "SELECT fname, lname, username, admin, is_user FROM users WHERE username = $username AND password = $password"; //ADDED YOUR EDIT

$result = mysql_query($sql,$conn) or die(mysql_error());


//---------
//ADDED INFO
//---------


//get the number of rows in the result set; should be 1 if a match
if (mysql_num_rows($result) == 1) {
//if authorized, get the values of fname lname admin
$fname = mysql_result($result, 0, 'fname');
$lname = mysql_result($result, 0, 'lname');
$admin = mysql_result($result, 0, 'admin');
$is_user = mysql_result($result, 0, 'is_user');
if($is_user == "no"){
print "You Are No Longer A User, And Your Account Has Been Suspended/Deleted.<br>";
print "If You Feel Like This Is A Mistake, Please E-Mail The Webmaster <a href='mailto: *****'>Here</a>.";
}else{

$username = $_POST[username];
//set authorization cookie and start session
//if($admin == "2") {
//$passphrase = $username . "******";
//}else{
$passphrase = $username . "******";
//}
$passphrase = md5($passphrase);
setcookie("passphrase", "$passphrase", time()+604800, "/", "*****", 0) or die ("unable to set cookie");
setcookie("user", "$username", time()+604800, "/", "*****", 0) or die ("unable to set cookie");
session_start();
$_SESSION['user_sess'] = $username;
//if($admin == "2") {
//$_SESSION['admin'] = $username;
//$_SESSION['user_sess'] = $username;
//}elseif($admin == "0"){
//$_SESSION['user_sess'] = $username;
//}
$status = "online";
mysql_query("UPDATE users SET online = '$status' WHERE username = '$username'", $conn) or die ("Couldnt add online status to DB");
$last_ip = GetHostByName($REMOTE_ADDR);
mysql_query("UPDATE users SET last_ip = '$last_ip' WHERE username = '$username'", $conn) or die ("Couldnt add last used IP to DB");

//prepare message for printing, and user menu
header("Location: main_page.php");
exit;
}
} else {
//redirect back to login form if not authorized
header("Location: main_page.php");
exit;
}
?>


sorry that i didn't post that last bit earlier, but that is how im doing my security checks right now to see if they are an admin and what-not, can you incorporate the code you supplied into using this method? If not, can you maybe show me how to add those checks into the code you supplied?

ps - the spots marked //ADDED YOUR EDIT is where i fixed a few things you pointed out that i shouldve caught myself, but programming a whole site makes you miss a few things sometimes,t hanks for showing them to me lol

-Mindless_Spider-

Just out of curiosity, what does the database contain? IE: make sure the value in the database is the case sensetive version you want. If its not, maybe something to do with your sign up form? I just woke up so I didn't really look over your code, but I did spot something that shouldn't be.

$username = $_POST['username'];
$password = $_POST['password']; //ADDED YOUR EDIT

You shouldn't trust what they enter, not everyone is nice. You should add some sort of protection against sql injection.

the database contains the case sensitive information, and is also set to binary know, justadollarhosting's idea, and honestly i dont even know what sql injection is lmao, i only started coding a year ago, and didnt get very much info from class, the majority of what i learned was from trial and error. but my community site was doing wonderful until i tried adding photo gallery features.

SQL Injection can be some nasty stuff, if you do a google you can learn what it is. The most basic way to help stop it is this function: addslashes. I also learned by trial and error, imo, best way to go. Photo galleries can be a real pain, I remember I did one a while back, lots of little things that could go wrong... I've never had to case sensative things with mysql or php, but a quick google for: case sensitive queries with php mysql returned some info. Try adding BINARY in your query before field names make your login case sensative. What I've done below is add BINARY beofre the username field and the password field so should now be case sensative.


<?php
//check for required fields from the form
if ((!$_POST[username]) || (!$_POST[password])) {
header("Location: login.php");
exit;
}

//connect to server and select database
$conn = mysql_connect("*****", "*****", "*****") or die(mysql_error());

mysql_select_db("*****", $conn) or die(mysql_error());

$username = $_POST['username'];
$password = $_POST['password']; //ADDED YOUR EDIT

//create and issue the query
$sql = "SELECT fname, lname, username, admin, is_user FROM users WHERE BINARY username = $username AND BINARY password = $password"; //ADDED YOUR EDIT
//snip

Try it out.

where would i add the addslashes function? And it is possible its just the way im creating the folders to store the images for the image gallery, but it is creating multiple folders for different cased usernames. its kinda hard to explain, but i want the login to be case sensitive anyways to make things more secure. thanks for all your help, i've got too many websites going on at once lol. should probably find someone to help me out eventually.

-Mindless_Spider-

Just put the addslashes when you declare your user inputed vars, like this:

$username = addslashes($_POST['username']);
$password = addslashes($_POST['password']);

What is does is add slashes to things like quotes which could become a security hole. It's a basic step, but prevents a lot of things.

P.S., did you try adding BINARY before the field names? I never tried it so I don't know if it would work, but I'd like to get a confirmation if it did or not.

[edit]Just tried adding BINARY myself, it does indeed work.

did you make the fileds in the database set to binary also? mine is still not working, i thought it might be the space in my name so i changed my username and it isnt

No, I never touched the database settings. Try taking off Binary in the database, and keep BINARY before the field name in your query and see what happens.

lol, nope, there must be something in my code it doesnt like

i just added the addslashes function

Hmm, I am confuzzled. Could you post the query that you are using here? Maybe there is a typo in it or something?

<?php
//check for required fields from the form
if ((!$_POST[username]) || (!$_POST[password])) {
header("Location: login.php");
exit;
}

//connect to server and select database
$conn = mysql_connect("*****", "*****", "*****") or die(mysql_error());

mysql_select_db("*****", $conn) or die(mysql_error());

$username = addslashes($_POST['username']);
$password = addslashes($_POST['password']);

//create and issue the query
$sql = "SELECT fname, lname, username, admin, is_user FROM users WHERE BINARY username = '$username' AND BINARY password = '$password'";

$result = mysql_query($sql,$conn) or die(mysql_error());

//get the number of rows in the result set; should be 1 if a match
if (mysql_num_rows($result) == 1) {
//if authorized, get the values of fname lname admin
$fname = mysql_result($result, 0, 'fname');
$lname = mysql_result($result, 0, 'lname');
$admin = mysql_result($result, 0, 'admin');
$is_user = mysql_result($result, 0, 'is_user');
if($is_user == "no"){
print "You Are No Longer A User, And Your Account Has Been Suspended/Deleted.<br>";
print "If You Feel Like This Is A Mistake, Please E-Mail The Webmaster <a href='mailto: *****'>Here</a>.";
}else{

$username = $_POST[username];
//set authorization cookie and start session
//if($admin == "2") {
//$passphrase = $username . "******";
//}else{
$passphrase = $username . "******";
//}
$passphrase = md5($passphrase);
setcookie("passphrase", "$passphrase", time()+604800, "/", "*****", 0) or die ("unable to set cookie");
setcookie("user", "$username", time()+604800, "/", "*****", 0) or die ("unable to set cookie");
session_start();
$_SESSION['user_sess'] = $username;
//if($admin == "2") {
//$_SESSION['admin'] = $username;
//$_SESSION['user_sess'] = $username;
//}elseif($admin == "0"){
//$_SESSION['user_sess'] = $username;
//}
$status = "online";
mysql_query("UPDATE users SET online = '$status' WHERE username = '$username'", $conn) or die ("Couldnt add online status to DB");
$last_ip = GetHostByName($REMOTE_ADDR);
mysql_query("UPDATE users SET last_ip = '$last_ip' WHERE username = '$username'", $conn) or die ("Couldnt add last used IP to DB");

//prepare message for printing, and user menu
header("Location: main_page.php");
exit;
}
} else {
//redirect back to login form if not authorized
header("Location: main_page.php");
exit;
}
?>

btw, this script did work until i started trying to make it case sensitive, i had over 200 users on my site lol

I'm not 100% sure, but I forgot to mention that you have to use BINARY everytime you query the database for a specific username. Try this:

<?php
//check for required fields from the form
if ((!$_POST[username]) || (!$_POST[password])) {
header("Location: login.php");
exit;
}

//connect to server and select database
$conn = mysql_connect("*****", "*****", "*****") or die(mysql_error());

mysql_select_db("*****", $conn) or die(mysql_error());

$username = addslashes($_POST['username']);
$password = addslashes($_POST['password']);

//create and issue the query
$sql = "SELECT fname, lname, username, admin, is_user FROM users WHERE BINARY username = '$username' AND BINARY password = '$password'";

$result = mysql_query($sql,$conn) or die(mysql_error());

//get the number of rows in the result set; should be 1 if a match
if (mysql_num_rows($result) == 1) {
//if authorized, get the values of fname lname admin
$fname = mysql_result($result, 0, 'fname');
$lname = mysql_result($result, 0, 'lname');
$admin = mysql_result($result, 0, 'admin');
$is_user = mysql_result($result, 0, 'is_user');
if($is_user == "no"){
print "You Are No Longer A User, And Your Account Has Been Suspended/Deleted.<br>";
print "If You Feel Like This Is A Mistake, Please E-Mail The Webmaster <a href='mailto: *****'>Here</a>.";
}else{

$username = addslashes($_POST[username]); //don't forget addslashes here too, but coldn't you just reuse the last username value?
//set authorization cookie and start session
//if($admin == "2") {
//$passphrase = $username . "******";
//}else{
$passphrase = $username . "******";
//}
$passphrase = md5($passphrase);
setcookie("passphrase", "$passphrase", time()+604800, "/", "*****", 0) or die ("unable to set cookie");
setcookie("user", "$username", time()+604800, "/", "*****", 0) or die ("unable to set cookie");
session_start();
$_SESSION['user_sess'] = $username;
//if($admin == "2") {
//$_SESSION['admin'] = $username;
//$_SESSION['user_sess'] = $username;
//}elseif($admin == "0"){
//$_SESSION['user_sess'] = $username;
//}
$status = "online";
mysql_query("UPDATE users SET online = '$status' WHERE BINARY username = '$username'", $conn) or die ("Couldnt add online status to DB");
$last_ip = GetHostByName($REMOTE_ADDR);
mysql_query("UPDATE users SET last_ip = '$last_ip' WHERE BINARY username = '$username'", $conn) or die ("Couldnt add last used IP to DB");

//prepare message for printing, and user menu
header("Location: main_page.php");
exit;
}
} else {
//redirect back to login form if not authorized
header("Location: main_page.php");
exit;
}
?>

And just to clarify, you are able to log in though? I mean, the login is still working, just its not case sensative?

no, it isnt letting me login at all anymore, but it doesn't display any errors, and yes i have cookies enabled

Can you PM me the link?

even tried clearing browser cache

I'm still not sure what the problem is, but try this. It will at least let us know if the login was accepted or not.

<?php
//check for required fields from the form
if ((!$_POST[username]) || (!$_POST[password])) {
header("Location: login.php");
exit;
}

//connect to server and select database
$conn = mysql_connect("*****", "*****", "*****") or die(mysql_error());

mysql_select_db("*****", $conn) or die(mysql_error());

$username = addslashes($_POST['username']);
$password = addslashes($_POST['password']);

//create and issue the query
$sql = "SELECT fname, lname, username, admin, is_user FROM users WHERE BINARY username = '$username' AND BINARY password = '$password'";

$result = mysql_query($sql,$conn) or die(mysql_error());

//get the number of rows in the result set; should be 1 if a match
if (mysql_num_rows($result) == 1) {
//if authorized, get the values of fname lname admin
$fname = mysql_result($result, 0, 'fname');
$lname = mysql_result($result, 0, 'lname');
$admin = mysql_result($result, 0, 'admin');
$is_user = mysql_result($result, 0, 'is_user');
if($is_user == "no"){
print "You Are No Longer A User, And Your Account Has Been Suspended/Deleted.<br>";
print "If You Feel Like This Is A Mistake, Please E-Mail The Webmaster <a href='mailto: *****'>Here</a>.";
}else{

//$username = addslashes($_POST[username]); //this doesn't need to be here
//set authorization cookie and start session
//if($admin == "2") {
//$passphrase = $username . "******";
//}else{
$passphrase = $username . "******";
//}
$passphrase = md5($passphrase);
setcookie("passphrase", "$passphrase", time()+604800, "/", "*****", 0) or die ("unable to set cookie");
setcookie("user", "$username", time()+604800, "/", "*****", 0) or die ("unable to set cookie");
session_start();
$_SESSION['user_sess'] = $username;
//if($admin == "2") {
//$_SESSION['admin'] = $username;
//$_SESSION['user_sess'] = $username;
//}elseif($admin == "0"){
//$_SESSION['user_sess'] = $username;
//}
$status = "online";
mysql_query("UPDATE users SET online = '$status' WHERE BINARY username = '$username'", $conn) or die ("Couldnt add online status to DB");
$last_ip = GetHostByName($REMOTE_ADDR);
mysql_query("UPDATE users SET last_ip = '$last_ip' WHERE BINARY username = '$username'", $conn) or die ("Couldnt add last used IP to DB");

//prepare message for printing, and user menu
// header("Location: main_page.php");
echo "Accepted! Logged in as: " . $username;
exit;
}
} else {
//redirect back to login form if not authorized
//header("Location: main_page.php");
echo "Not authorised!";
exit;
}
?>

im getting not authorized lol, i dont know WHAT i did but its not working, even when i put it back to the original

Is the password in the database in plain text or encoded in some way (like md5)? If its not encoded then I don't know why it isn't working, but if it is, that could be the problem. Double check that you are using the right table and that the database has the right info as well (I've made that mistake before).

I FOUND IT!!!!! w00tn3ss okay heres the thing now, its case sensitive, but now the addslashes causes an unexpected T_STRING error, my next post will be my code

<?php
//check for required fields from the form
if ((!$_POST[username]) || (!$_POST[password])) {
header("Location: login.php");
exit;
}

//connect to server and select database
$conn = mysql_connect("*****", "*****", "*****") or die(mysql_error());
mysql_select_db("*****", $conn) or die(mysql_error());
$username = $_POST[username];
$password = $_POST[password];
//create and issue the query
$sql = "SELECT fname, lname, username, admin, is_user FROM users WHERE BINARY username = '$username' AND BINARY password = password('$password')";
$result = mysql_query($sql,$conn) or die(mysql_error());

//get the number of rows in the result set; should be 1 if a match
if (mysql_num_rows($result) == 1) {
//if authorized, get the values of fname lname admin
$fname = mysql_result($result, 0, 'fname');
$lname = mysql_result($result, 0, 'lname');
$admin = mysql_result($result, 0, 'admin');
$is_user = mysql_result($result, 0, 'is_user');
if($is_user == "no"){
print "You Are No Longer A User, And Your Account Has Been Suspended/Deleted.<br>";
print "If You Feel Like This Is A Mistake, Please E-Mail The Webmaster <a href='mailto: *****'>Here</a>.";
}else{

//$username = $_POST['username'];
//set authorization cookie and start session
//if($admin == "2") {
//$passphrase = $username . "******";
//}else{
$passphrase = $username . "*****";
//}
$passphrase = md5($passphrase);
setcookie("passphrase", "$passphrase", time()+604800, "/", "*****", 0) or die ("unable to set cookie");
setcookie("user", "$username", time()+604800, "/", "*****", 0) or die ("unable to set cookie");
session_start();
$_SESSION['user_sess'] = $username;
//if($admin == "2") {
//$_SESSION['admin'] = $username;
//$_SESSION['user_sess'] = $username;
//}elseif($admin == "0"){
//$_SESSION['user_sess'] = $username;
//}
$status = "online";
mysql_query("UPDATE users SET online = '$status' WHERE BINARY username = '$username'", $conn) or die ("Couldnt add online status to DB");
$last_ip = GetHostByName($REMOTE_ADDR);
mysql_query("UPDATE users SET last_ip = '$last_ip' WHERE BINARY username = '$username'", $conn) or die ("Couldnt add last used IP to DB");

//prepare message for printing, and user menu
header("Location: main_page.php");
exit;
}
} else {
//redirect back to login form if not authorized
header("Location: main_page.php");
exit;
}
?>

hey, just offtopic,
use this fucntion to prevent sql injection.
its a simple function and just run it through what the user enters.

function ToDBString($string)
{
return mysql_real_escape_string(htmlentities(trim(strip_tags($string))));
}

what if ive got more then one variable to check, its saying i cannot define toDBString more then once, i did it this way:


function ToDBString($username)
{
return mysql_real_escape_string(htmlentities(trim(strip_tags($username))));
}
function ToDBString($password)
{
return mysql_real_escape_string(htmlentities(trim(strip_tags($password))));
}