On Thu, 19 Dec 2002, Thilo Planz wrote: > > A little bit of an optimization and security check - if all you are > > doing > > is comparing if the username and password match, why not let SQL do it? > > > > my $query = "SELECT count(*) FROM user WHERE USER_ID = ? and > > USER_PASSWORD = ?"; > > my $sth = $dbh->prepare($query); > > $sth->execute($user_ID, $pass_word); > > my ($valid_login) = $sth->fetchrow_array (); #This could also > > be > > changed.... > > Good call, but one caveat: > > SQL is case-insensitive. > So the password and userid will be compare case-insensitively as well. > (I found out about this the hard way...) > > You could fix this by declaring the columns or the comparison as binary > (at least in MySQL).
As I understand, the SQL language is case insensitive. So "SELECT" and "WHERE" are the same as "select" and "where". I believe whether the entity names are care-sensitive varies by vendor. I just checked that in Postgres I can create tables named "Test" and "test" that are seperate. In Postgres it's standard to treat the /contents/ of a field as case-sensitive. So passwords of "BIG" and "big" will not be equivalent unless you do an explicit case-insensitive comparison. -mark http://mark.stosberg.com/ --------------------------------------------------------------------- Web Archive: http://www.mail-archive.com/cgiapp@lists.erlbaum.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]