http://www.perlmonks.org?node_id=21744


in reply to mod_perl, Apache::Session

There's a potential bug in your code that might affect you down the road.

The bug would occur if you ended up with two usernames that were identical, except for case, and the password was the same. So, if you have a user 'foo' registered, but lets say he forgot to capitalize his name, so he hit the back button and entered 'Foo' as the username with the same password.

Since MySQL comparisons with the '=' operator are case-insensitive, your rows returned would be 2, which is != 1, so foo would be locked out using either username.

Of course, you can get around this with careful attention to detail on the input side. How you fix it depends on how much leniency you want to give your users. It's a rare situation, but one you should watch out for when making username/password checking scripts with MySQL.