Member Avatar for nil_gh_80

Hello friends,

I've a user login system......user's name & password are saved in the database.......suppose i've an user "admin". At the time of login if he enters "admin" he can login also if enters "ADMIN" or "AdMiN" he can login too.....how can I stop this thing........PLZZZZZZZ show me the way......

thank you...

  • 5 Contributors
  • 8 Replies
  • 446 Views
  • 2 Months Discussion Span
  • Latest Post Latest Post by BeachyUK
Member Avatar for cwarn23

For that you could just convert both values to lower case with strtolower(); So try the following and I have included the form.

<?
//mysql connections
$username='Admin'; //from mysql in your script

$username=strtolower($username);
if (isset($_POST['username']))
    {
    $_POST['username']=strtolower($_POST['username']);
    if ($_POST['username']==$username)
        {
        //login
        }
    }
?>
<form method='post'>
<input type='text' value='adMiN' name='username'>
<input type='submit' value='submit'>
</form>
Member Avatar for nil_gh_80

sorry man this is not that i want ......actually i want to check the string insterted case sensitive way......

Member Avatar for cwarn23

If you want it case sensitive then because php is case sensitive, just get php to check if the 2 values = each other. So use the following:

<?
//mysql connections
$username='Admin'; //from mysql in your script

if (isset($_POST['username']) && $_POST['username']==$username)
    {
    //login
    echo "test";
    }
?>
<form method='post'>
<input type='text' value='adMiN' name='username'>
<input type='submit' value='submit'>
</form>
Member Avatar for nil_gh_80

according to your solution if I have 1,00,00,000 user will I define those user in that number of veriables ?????????? is this thing feasible ?????????

Member Avatar for cwarn23

according to your solution if I have 1,00,00,000 user will I define those user in that number of veriables ?????????? is this thing feasible ?????????

Yes because all you need to do is check that the username (which should be unique from all the others) is correct and that at option, the password for security reasons is correct. So just to explain, I shall write a basic login system for you.

Below is login.php

session_start();
//mysql connect code

$result=mysql_query("SELECT * FROM `users` WHERE `username`='".$_POST['username']."' AND `password`='".$_POST['password']."'");

if (isset($_POST['username']) && mysql_num_rows($result)==1)
    {
    $row=mysql_fetch_array($result);
    $_SESSION['username111']==$row['username'];
    unset($row);
    header('Location: index.php?login=true');
    //there should be no browser output before this line.
    }
?>
<form method='post'>
<input type='text' value='Admin' name='username'><br>
<input type='text' value='password' name='password'>
<input type='submit' value='submit'>
</form>

index.php (at top)

<?
session_start();
if ($_GET['login']=='true' && !isset($_SESSION['username111']))
    {
    echo "<h1>You need to be logged in to view this page!</h1>";
    exit;
    }
//no browser output before this line.

Sorry if there is a small bug but that login system is from the top of my head and I have used simular ones in the past. Hope that example helps

Member Avatar for xarz

@cwarn23 yeah, I agree with your code also.. I use it the same way.. just add htmlentities to make sure that there will be no sql injections.. :P

Member Avatar for Aamit

here you can use md5 encrypted password....

when you use md5 you got this value in database
admin= 21232f297a57a5a743894a0e4a801fc3

ADMIN= 73acd9a5972130b75066c82595a1fae3 

AdMiN= 2714cba6c6d58e587565cf4e6b275078

login.php

$con = mysql_connect("localhost","root","");
	if (!$con)
	  {
	  die('Could not connect: ' . mysql_error());
	  }
	  else
	  {
	 // echo('Connected with Mysql');
	  }
		@mysql_select_db("db_login", $con);
		if (isset($_POST['Submit']))
		{
			$user_uname=$_POST["user_uname"];
			$user_pass=md5($_POST["user_pass"]);
											
			
			$sql=mysql_query("SELECT * FROM table WHERE user_uname='$user_uname' AND user_pass='$user_pass'");
			
			if (mysql_num_rows($sql)==0 || mysql_num_rows($sql)>1)
			{	
				echo "<script>alert('Username/password pair is invalid.Please try again.')</script>";
				
				echo"<script language='javascript'>window.location.href='login.php'</script>";
			}
			while($row = mysql_fetch_array($sql))
				  {
					if($user_pass==$row['user_pass'] and $user_uname==$row['user_uname'])
					{
						//here use go to your new page						echo"<script language='javascript'>window.location.href='newprofile.php'</script>";
						}
						else
						{
													echo"<script language='javascript'>window.location.href='login.php'</script>";
						}
					}
				  }
				  echo"<script language='javascript'>window.location.href='login.php'</script>";
		} 
}

when use register or save data in mysql / databse
you have to insert data like... $sql="INSERT INTO table ( user_uname, user_pass) VALUES('$_POST[user_uname]','md5($_POST[user_pass])')"; i think this solves your problem.......

Member Avatar for BeachyUK

here you can use md5 encrypted password....

when you use md5 you got this value in database
admin= 21232f297a57a5a743894a0e4a801fc3

ADMIN= 73acd9a5972130b75066c82595a1fae3 

AdMiN= 2714cba6c6d58e587565cf4e6b275078

This is very important, so good on Aamit for pointing this out... not sure if people have taken it onboard as there are no responses!

For security reasons you don't want to make the raw password available in your database, in-case a hacker gets in. An MD5 hash is a good method to ensure you can still verify the users identity without risking a security problem.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.