|
|
Posted by William Stokes on 02/24/05 11:21
OK.
I changed to hashed passwords in now they are case sensitive.
Thanks.
-Will
"Richard Lynch" <ceo@l-i-e.com> kirjoitti
viestissδ:1672.66.99.91.45.1109180165.squirrel@www.l-i-e.com...
> William Stokes wrote:
>> I got my little user authentication to work but now I would like to know
>> how
>> to make and check the (upper/lower) case in password. To put it simple. I
>> want users password to be case sensitive.
>
> The default compile settings for MySQL are case-insensitive.
>
> Usually, one stores some kind of hash of a password, not a password
> itself.
>
> Since the hash comes out quite differently for upper/lower case, that
> usually takes care of case sensitivity.
>
> Actually, I went the other route and forced all passwords to lowercase
> before hashing, because my users were, errr, technically-challenged, and
> case sensitivity was too complicated an issue. Yes, really. Been there.
>
> Anyway, if you are storing the password in plain text (not hashed) and
> want case sensitivity, there's probably a MySQL function to compare case
> sensitive. http://mysql.com search engine would find it.
>
> If not, an ugly hack that will almost for sure work, would be:
> $query = "select md5('$password') = md5(password) ... ";
>
> Here, instead of letting MySQL compare the two text strings
> case-insensitive, you are doing an MD5 hash on each first, which will
> result in wildly different values, and then comparing those
> (case-insensitive).
>
> There is a one in 2 billion chance that somebody could find an input
> ('foo') that is not at all related to the actual password ('bar') and
> bypass your password that way...
>
> If that concerns you, then do:
> $query = "select md5('$password') = md5(password) and '$password' =
> password ...";
>
> I don't think there's any chance at all of two passwords with only case
> difference having the same MD5 hash...
>
> --
> Like Music?
> http://l-i-e.com/artists.htm
[Back to original message]
|