0

I have the below code on my page but I want to to work for logging in even if username and password was entered in lowercase, I ave looked online and the answer answer seems to suggest strtolower would work, but it doesn't work for me, can anyone take a look?

thanks for any assistance!

<?php
    $error = "";
    if(isset($_POST['username'],$_POST['password'])){
        $user = array(
                        "user" => "Demo",
                        "pass"=>"Demo"          
                );
        $username = strtolower($_POST['username']);
        $pass = strtolower($_POST['password']);
        if($username == $user['user'] && $pass == $user['pass']){
            session_start();
            $_SESSION['simple_login'] = $username;
            echo '{"error":0}';
        }else{
            echo '{"error":1}';
        }
        exit();
    }
?>
Suraj Rao
  • 28,186
  • 10
  • 88
  • 94
Taz Conway
  • 19
  • 7
  • 4
    I don't know too much PHP, but it seems that you are comparing an all-lowercase string to the string `"Demo"`, which contains an uppercase letter. Maybe that is the reason why the comparison case did not pass. – Jerrybibo Aug 29 '17 at 14:58
  • 1
    You convert your variables to lower case, but the array your matching against contains uppercase. _Both_ obviously need to be converted for them to match. – Magnus Eriksson Aug 29 '17 at 14:58
  • What do you mean by "does not work"? What is the error, is it semantic? What is happening when you run the code – HumbleWebDev Aug 29 '17 at 14:58
  • Maybe you could try `mb_strtolower` http://php.net/manual/en/function.mb-strtolower.php – kenfire Aug 29 '17 at 14:59
  • 7
    Making passwords case insensitive is a major impairment to security. – xyious Aug 29 '17 at 14:59
  • As a side note in case that code is expected to be used in production, you should not make it easier for someone to use the username and password of one of your users. Making password matching easier is not doing your users a favor. – ksjohn Aug 29 '17 at 15:00
  • "I want to to work for logging in even if username and password was entered in lowercase". Why? It just makes your app less secure, because there are less possible usernames / passwords that could be used, and they're easier to guess. This is both completely unnecessary and also actively detrimental to the quality of your application. – ADyson Aug 29 '17 at 15:02
  • Sorry, Im not sure If I was clear, I know the values are set to 'Demo' in the code below, but I want it also to allow access if a user entered 'demo', I hope that makes sense, I want the username and password to be case insensitive. – Taz Conway Aug 29 '17 at 15:04
  • yes...you've said that already. And people have already pointed out quite clearly how to make it work as you describe. But again, why? Why make it easier to guess the password?? It reduces security, requires more code and more processing, and produces no material benefit to anyone. – ADyson Aug 29 '17 at 15:04
  • 1
    **Never store plain text passwords!** Please use ***PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html)*** to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). ***It is not necessary to [escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Aug 29 '17 at 15:21

1 Answers1

1

Although this is one way to do it, you probably shouldn't be doing it this way, this isn't really secure. Why should the username/password be case insensitive?

<?php
    $error = "";
    if(isset($_POST['username'],$_POST['password'])){
        $user = array(
                        "user" => strtolower("Demo"),
                        "pass"=> strtolower("Demo")          
                );
        $username = strtolower($_POST['username']);
        $pass = strtolower($_POST['password']);
        if($username == $user['user'] && $pass == $user['pass']){
            session_start();
            $_SESSION['simple_login'] = $username;
            echo '{"error":0}';
        }else{
            echo '{"error":1}';
        }
        exit();
    }
?>
Jay Blanchard
  • 32,731
  • 15
  • 70
  • 112
HumbleWebDev
  • 447
  • 4
  • 19
  • Awesome, if you don't mind making this accepted answer I'd very much appreciate that <3 – HumbleWebDev Aug 29 '17 at 15:08
  • 1
    @TazConway wow, you really don't care about security, then. Glad I'm not a user of your system. – ADyson Aug 29 '17 at 15:13
  • @ADyson I assume he's doing this for a school project or something lol. I mean I really hope a guy who's confused by strtolower() does't already have a degree/job. – HumbleWebDev Aug 29 '17 at 15:14
  • 1
    Guys; I find that the last 2 comments are rather demeaning. – Funk Forty Niner Aug 29 '17 at 15:16
  • 1
    @Fred-ii- Maybe. And to be fair we all started off at a similar level. I really wasn't trying to demean this guy, I used to write code that was similarly bad when I was in school. Sorry that's just what his code reminded me of... – HumbleWebDev Aug 29 '17 at 15:18
  • 2
    @TheUnholyProgrammer It's like "border-line" demeaning TBH. Best to instruct as the comments under their question have already stated. Pretty sure they got the message; least I *hope* they did! *lol* - I just don't want the OP to get a bad impression :-) – Funk Forty Niner Aug 29 '17 at 15:20
  • @Fred-ii- True, instead of comparing his code to school-level work, maybe I could talk about storing passwords in a database with hash+salt? And using regular expressions to enforce good passwords – HumbleWebDev Aug 29 '17 at 15:23
  • @TheUnholyProgrammer see my comments above about passwords. Just use PHP's built-in functions and do not limit passwords with regex. Allow users to use the [passwords / phrases](https://xkcd.com/936/) they desire. [Don't limit passwords.](http://jayblanchard.net/security_fail_passwords.html) – Jay Blanchard Aug 29 '17 at 15:24
  • @JayBlanchard Not sure I agree with that. what if a user makes their password "password". Yeah, you can hash and salt it and it might be secure on that level, but its not secure in that just about anyone could guess it. I agree to not making limits that REDUCE security (such as max characters of 8) but you need to enforce some basic password policy. – HumbleWebDev Aug 29 '17 at 15:31
  • It is not our job as programmers to make sure our users don't use passwords like "password". It is our job to encourage them to create strong passwords (or passphrases). As I always say, you can lead a horse to water, but you cannot make them make their passwords stronger....until they're hacked. I use password strength indicators. – Jay Blanchard Aug 29 '17 at 15:32
  • 1
    @Fred-ii- I wasn't trying to be offensive, but it seems like the OP didn't listen or respond to any of the comments and just went ahead and used the solution despite all the warnings, without explaining their motivation. Which suggests they didn't care that the solution was insecure. And they should care about security, and we should care that others don't care, because it makes everyone less safe. The other warnings hadn't worked so I wanted to hit to it home. Perhaps it was a bit OTT in retrospect, but nothing else seemed to have made an impression. – ADyson Aug 29 '17 at 15:33
  • @JayBlanchard I guess that depends on your company's culture. Plenty of companies would blame IT if they get hacked. – HumbleWebDev Aug 29 '17 at 15:33
  • Undoubtedly - but then they have ignored the corporate culture of security which is preached every day. – Jay Blanchard Aug 29 '17 at 15:34
  • 1
    @TheUnholyProgrammer true, and plenty of companies enforce stringent password policies. But there's increasing amounts of research which suggests that you can easily go too far, and encourage people to use the same password for everything, or repeat the same password with minimal variation (password1, password2 etc, changed once a month) and/or write them down elsewhere. And a password manager is only secure if you then use a good password for that... – ADyson Aug 29 '17 at 15:34
  • @ADyson Perhaps this is why we should enforce a practice called balance. Some basic restrictions like requiring numbers and a minimum number of characters but without taking it too far like "NO COMMON WORDS" + "MIN 30 CHARACTERS" + "MUST HAVE ATLEAST 1 LOWER CASE AND 1 UPPER CASE" + "MUST CONTAIN A SPECIAL CHARACTER" – HumbleWebDev Aug 29 '17 at 15:37
  • 1
    @TheUnholyProgrammer absolutely. Minimum characters of maybe 8-10, and potentially enforcing lower/upper and possibly special characters seems to be considered reasonable from my (totally subjective) experience. And not enforcing a change every week or anything crazy like that. – ADyson Aug 29 '17 at 15:54
  • 2
    @ADyson *"but it seems like the OP didn't listen or respond to any of the comments and just went ahead and used the solution despite all the warnings"* - We can only let them know as y'all did :-) Remember the 'ol saying? *"I am not my brother's keeper"* ;-) If they chose to not heed the warnings, then that isn't your/our problem and all have tried to inform/advise. Should they come back to Stack and post: *"My website was hacked"*, well... I think you know where I'm going here ;-) – Funk Forty Niner Aug 29 '17 at 15:55
  • 1
    @TheUnholyProgrammer *"maybe I could talk about storing passwords in a database with hash+salt?"* - Nowadays, there's almost no need to salt. If someone's still coding for the "last century", then they need to upgrade ;-) – Funk Forty Niner Aug 29 '17 at 15:58
  • @Fred-ii- hmm I've always been taught to hash n salt. Maybe I could use some uprading as well? – HumbleWebDev Aug 29 '17 at 15:59
  • 1
    @TheUnholyProgrammer PHP's [`password_hash()`](http://php.net/manual/en/function.password-hash.php) does all that on its own. So... "maybe" ;-) – Funk Forty Niner Aug 29 '17 at 15:59
  • 1
    @TheUnholyProgrammer I have made this the acceptable answer, and just for everyone of course I know its not secure, even having the passwords in the source code is not secure at all, its just a non profit site I have at work and I want users to feel like they are in a special area on the website, no sensitive data etc, its not that deep,i have yet to learn about MySQL databases etc, I just literally wanted to know how it would accept the username and password no matter what case was used. I don't have a degree in coding, its just a hobby, thanks for your help! – Taz Conway Aug 29 '17 at 16:32