Hi, i've made an online text based game in php, but for some reason when players sign in, the password isn't case-sensitive, but in other situations it is even though the code is the same...
I'm seriously stuck with this and i can't fix it...
HELP?

--
     Kommt Der Krieg Ins Land, Gibt's Lügen Wie Sand...

Got an example?

Are you using any string functions to manipulate the strings before you compare them?

--
My religion is simple.
My religion is kindness.
- The Dalai Lama

pastebin and link the code you are using to check passwords, but the relevant PHP and SQL.

--
Good WebHosting
The Last Word in Passwords
__

Did you find this post helpful? Yes No

$username = addslashes(strip_tags($_POST['username']));
$password = addslashes(strip_tags($_POST['assword']));

$sql = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password' AND activated='1' LIMIT 1");

$login_check = mysql_num_rows($sql);
$inf = mysql_fetch_object($sql);
if ($login_check == "0"){
$message="<font color=red>There has been an error, Please try again.</font>
";
}elseif ($login_check != "0"){


And then it goes on to say if the account is dead or banned ect...

Is there something basic i've done wrong? Or something i've put that shouldn't be there coz i don't fully know what addslashes means, it was just something i saw when i was learning php so i've always used that, but when i stopped it stopped the page from working, do i need to replace it with something else?

--
     Kommt Der Krieg Ins Land, Gibt's Lügen Wie Sand...

well, I don't see why there's a case sensitivity issue, but to answer your other question, you can/should replace addslashes(strip_tags()) with mysql_real_escape_string(). I don't expect it to solve your problem, but it's the appropriate function to use there.

Now, to clarify your problem, your passwords are sometimes being accepted in the wrong case?

--
Good WebHosting
The Last Word in Passwords
__

Did you find this post helpful? Yes No

store your passwords with an md5() encryption, then encrypt the user-supplied password and compare those... it iwll be case-sensitive.

--
deanwagner.net

*slak is right, btw. You could solve your problem by changing your process slightly. Instead of cleaning the password with addslashes, strip_tags, or mysql_real_escape_string, pass it to md5() or sha1(). Not only will these trap-door functions create a unique string for the password, they will account for case and eliminate characters that corrupt your SQL, like quotes. I use sha1() for my passwords. It also keeps passwords out of the DB so they cannot be retrieved, which many consider a security feature.

--
Good WebHosting
The Last Word in Passwords
__

Did you find this post helpful? Yes No

Plus, it covers your ass if your database is hacked or you have a malicious employee.

--
My religion is simple.
My religion is kindness.
- The Dalai Lama

Are you doing anything to the inputs with JavaScript before they're getting sent to the server?

--
My religion is simple.
My religion is kindness.
- The Dalai Lama

...which many consider a security feature...



--
Good WebHosting
The Last Word in Passwords
__

Did you find this post helpful? Yes No