|
Posted by Richard Lynch on 02/23/05 19:36
William Stokes wrote:
> I got my little user authentication to work but now I would like to know
> how
> to make and check the (upper/lower) case in password. To put it simple. I
> want users password to be case sensitive.
The default compile settings for MySQL are case-insensitive.
Usually, one stores some kind of hash of a password, not a password itself.
Since the hash comes out quite differently for upper/lower case, that
usually takes care of case sensitivity.
Actually, I went the other route and forced all passwords to lowercase
before hashing, because my users were, errr, technically-challenged, and
case sensitivity was too complicated an issue. Yes, really. Been there.
Anyway, if you are storing the password in plain text (not hashed) and
want case sensitivity, there's probably a MySQL function to compare case
sensitive. http://mysql.com search engine would find it.
If not, an ugly hack that will almost for sure work, would be:
$query = "select md5('$password') = md5(password) ... ";
Here, instead of letting MySQL compare the two text strings
case-insensitive, you are doing an MD5 hash on each first, which will
result in wildly different values, and then comparing those
(case-insensitive).
There is a one in 2 billion chance that somebody could find an input
('foo') that is not at all related to the actual password ('bar') and
bypass your password that way...
If that concerns you, then do:
$query = "select md5('$password') = md5(password) and '$password' =
password ...";
I don't think there's any chance at all of two passwords with only case
difference having the same MD5 hash...
--
Like Music?
http://l-i-e.com/artists.htm
[Back to original message]
|