For some reason the registration page i created registers username/password as case sensitive and alot of dumb people who do not realize and do not look at the emails the get try to type in their password differently.

Is there a command that makes all the input NOT case-sensitive?

    where/how are you storing these username/passwords? in a mySQL database? if so then a regular SELECT statement is case insensitive:

    SELECT * FROM table WHERE name = 'joe blow'

    this will matche records with:
    Joe Blow
    JOE BLOW
    jOe bLoW

      when you do your compare to check the username/password convert them to lowercase...

      ex. (assuming your user/pass are in a db)

      $l_sql = "select username 
   from users 
   where lower(username) = '" . strtolower($_POST['username']) . "'
      and lower(password) = '" . strtolower(md5($_POST['password'])) . "'";

      the md5() on the password is assuming you're not storing a cleartext password but the md5 hash instead.

        If the password was encoded as Mixed case at the time of the registration, how can i go about attempting to access it with the strlower() ?

        Here is my login code:

          

  $sql="SELECT username,password,name FROM members WHERE lower(username)='" . strtolower($_POST['username']) . "'";
  $result = mysql_query($sql,$db);
  @$row = mysql_fetch_row($result);
  if ($row)
  {
if(strtolower($row[0]) == strtolower($_POST['username']) && strtolower($row[1]) == strtolower(md5($_POST['password']))) {
    $_SESSION['username'] = $username; // Setting Session 
    $_SESSION['name'] = $row[2];
    echo 'Welcome '.$_SESSION['username'].' You will be redirected back in just a momenet. '; 

 } else {
// Display this if the username/password were wrong.
    echo 'Invalid username/password !'; }}

          ahh... well if the passwords are already stored in mixed case and were stored as md5 hashes then you're sol... is that the case?

          you'd need to do the lower case conversion before storing the md5 hash ... i.e. store password = md5(strtolower($password))

            Yes i guess in that respect im beyond circumventing it, but thank you very much, now i can edit the registration code and have this problem fixed.

              no problem... I'll admit its a good idea security-wise to store passwords as md5()... but after building many, many sites with logins and dealing with customers - it seemed like it was always better to just store cleartext for lame little sites (i.e. non-government, small business).

              Those types of people will be the same ones who next week will ask you to email them their password when they forget it. And of course you could generate a new one and email it, then require them to change it when they login... BUT no, that's too hard for the customer so they'll make you send it in an email and then security is out the window anyway.

              sigh

                Write a Reply...