Login problem with username

Hi everyone,
my problem is let say there is a user called Joe123 and his password is 1234. Normally If he inputs his username and password, he get access to his account, this part works fine on page. But lets say instead of writing Joe123, he writes joe123 and his password, he still got access to Joe123 account. Is there a way to prevent this from happening? Thanks in advance for your help. Bellow is my code.

<?php

if (isset($_POST[‘log-in’]))
{
require ‘connect_db.php’;
$username = mysqli_real_escape_string($conn, $_POST[“username”]);
$passwd = mysqli_real_escape_string($conn, $_POST[“passwd”]);
if (empty($username) || empty($passwd))
{
header(“location: …/php/login.php?error=emptyfields”);
exit();
}
else
{
$sql = “SELECT * FROM signup WHERE username = ?;”;
$stmt = mysqli_stmt_init($conn);
if (!mysqli_stmt_prepare($stmt,$sql))
{
header(“location: …/php/login.php?error=sqlerror”);
exit();
}
else
{
mysqli_stmt_bind_param($stmt,“s”, $username);
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);
if ($row = mysqli_fetch_assoc($result))
{
$passwdCheck = password_verify($passwd,$row[‘passwd’]);
if ($passwdCheck == false)
{
header(“location: …/php/login.php?error=wrongpassword”);
exit();
}
else if ($passwdCheck == true)
{
session_start();
$_SESSION[‘userId’] = $row[‘user_id’];
$_SESSION[‘username’] = $row[‘username’];
header(“location: …/php/profile.php?signup=logingood”);
exit();
}
}
else
{
header(“location: …/php/login.php?error=nouser”);
exit();
}
}
}
}
else
{
header(“location: …/php/login.php”);
exit();
}

What you are asking is called “Case Sensitive”.

SELECT * FROM `table` WHERE BINARY `column` = 'value'

This is pointless though. Mysql with a Unique Constraint on the column will see the usernames as duplicate despite the case.

1 Like

What do you mean as duplicate? It will see both Joe and joe as the same?

Exactly!

By the way, you dont need all that if/else logic.

I did find a way to prevent this but I don’t know it is the correct way, bellow is the corrected codes:

if ($row = mysqli_fetch_assoc($result))
{
$passwdCheck = password_verify($passwd,$row[‘passwd’]);
if ($passwdCheck == false)
{
header(“location: …/php/login.php?error=wrongpassword”);
exit();
}
else if (($passwdCheck == true) && ($username != $row[‘username’]))
{
header(“location: …/php/login.php?error=wrongpassword”);
exit();
}
else if (($passwdCheck == true) && ($username == $row[‘username’]))
{
session_start();
$_SESSION[‘userId’] = $row[‘user_id’];
$_SESSION[‘username’] = $row[‘username’];
header(“location: …/php/profile.php?signup=logingood”);
exit();
}
}

There is no reason to try and prevent it. The database says they are they same usernames so it doesn’t matter.

You mean I just need a
if ($passwordCheck == true && $username == $row[‘username’])
{
header();
}
else
{
header();
}

Basically, although your logic needs some work. Just put a unique contraint on the username column.

But if I want Joe and joe to be two different users and you say to be case sensitive? To me if both Joe and joe can access the account it is not a problem but I know the guy who will correct my project and I’m sure he will point out that Joe and joe is not the same username.

Thanks for the tip I’ll do it right way.

joe, Joe, jOe, joE, JOE are all the same exact usernames. The database only cares what the letters are, not what case they are.

I understand what you mean frankly, but I got a lecturer which will say joe, JOe, joE, or JOE can’t be the same person, so if they can access the same profile, so my code is wrong and I would lose marks. Thanks for taking your time to answer my queries and I marks your reply as the answer.

That will be your biggest problem. From our experience on these forums, these “lecturers” don’t know what they are doing and are not learned to current standards. Here is your opportunity to teach the lecturer something.

To me that sounds more like a problem on the user’s end if he or she is using a password that is easy to guess. The only thing you can really do about that is make the password requirement stricter when a person registers to your website. In my opinion you are just wasting your time doing it this way.

Op’s issue is with the username, not the password.

If that’s the case I don’t see what the big deal is as just lower the username to lowercase? If the OP is checking to see if the username is already taken then simply check to see if the username is available unless the website is very busy then there’s going to have to be some catch exception code. If I were the owner of the account and had to remember to type a capital letter for the username that would upset me. It’s bad enough that passwords do that sometimes let alone a username. To me the username Joe123 and joe123 should be the same.

More importantly, it is the same to the Database. His real problem is…

but I got a lecturer…

Sponsor our Newsletter | Privacy Policy | Terms of Service