Another possiblity is to use likeIgnoreCaseExp to pull in results, but then go in and manually filter out anything that's not an exact match in your code. That's probably the safest bet and the most portable. Of course, you then have to deal with the possiblity that someone's password is "%"
After good nights sleep I arrived at the same conclusion. I pass the umodified password to likeIgnoreCaseExp and then I do a String compare against the password in the *first* record that matched. I don't care about the case where escape chars used in passwords would cause likeIgnoreCaseExp to not include the record in the query result. The only thing I assume here is that it is safe to pass a string from an attacker to likeIgnoreCaseExp(). -- Øyvind Harboe http://www.zylin.com
