PHP: Case-Insensitive Login Check

Question

As of right now I check if a user can login in this manner:

// simply logic:
if (username == usernameEntered && password == passwordEntered) {

My database has an entry of Aaron within my user's table. But if I try to login as aaron or AARON etc. It will deny me access. So it seems it is case sensitive. Is this a problem with my database or how I'm checking for login credentials?

I remember back when I fiddled with JavaScript, /values/i could be used for case insensitivity. Is there something like this for PHP checks?

Also, since I'm here, is there much difference between isset(); and empty(); when in reference to cookies/$_GET[]; requests?

Answer 1

Use strtolower() or strtoupper() in both sides of the if condition.

if (strtolower(username) == strtolower(usernameEntered) && strtolower(password) == strtolower(passwordEntered))

These functions replace all upper letters with lower letters, or vice versa, allowing a case insensitive checking.

Also, you can see in detail the differences between isset() and empty() by checking the PHP documentation

PHP: isset - Manual

PHP: empty - Manual

References:

http://php.net/manual/en/function.strtoupper.php

http://php.net/manual/en/function.strtolower.php

Answer 2

Yep, use the strtolower function. Just need to do something like this:

if(strtolower($username) == strtolower($usernameEntered))

As for isset() and empty() , they are indeed different, but often they'll give you the same result. isset() tells you whether a variable was set at all (but it can still have no value). empty() tells in general whether the variable is equal to something. See the PHP documentation I linked to for each one. I would advise against using empty() for checking cookies and GET/POST values because empty strings and 0 are considered empty, which is probably not what you want. I would use isset() to see if the variable was set, and then further check it for whatever data you're looking for. Oftentimes you would want to deal with an empty string differently than no value at all.

Also, Pekka brought up in a comment that if you're finding the account in the database based on the username, then you really need to do the conversion to lowercase there. If so:

SELECT * FROM users WHERE LOWER(username) = LOWER(:username)

That's assuming you're using a prepared query with PDO. Otherwise just substitute your variable where I have :username (with proper string concatenation and so forth, of course. :)

EDIT: As deceze brought up in the comments, using LOWER() in a query like this would be a really bad idea because it would have to convert every username in the table to lowercase for comparison and would render any index on the field useless. A much better way would be to store a lowercase version of the username in the database as well with an index on the field. When the user tries to log in, convert what they entered to lowercase and then do the comparison with that.

Answer 3

You can use the COLLATE clause in an SQL statement to choose the collation that is used for comparison when searching for the username in the database:

SELECT * FROM `users` WHERE `username` COLLATE utf8_general_ci = 'FoObAr'

Using a _ci (case insensitive) collation will let you find values regardless of their case. Make sure to choose the right collation though or you may get unexpected results, as other characters will be regarded as equal as well (e and é for example). You can also set the collation on the column directly, so you don't have to include COLLATE in every query.

What you really should do though is to normalize usernames before they go into the database, so you're always storing usernames in lowercase for example. Then, when searching the database, you also lowercase the term to be searched for before plugging it into the query. See strtolower .

As for isset and empty : isset tells you whether a value exists at all, empty also tells you whether it's considered empty . Read the manual or http://kunststube.net/isset .