PHP Clean Username Options

[Mikeplyts]

Alas, another PHP topic. So, I have a login form. It works just like it should, but I realized I should allow clean usernames to be used. A clean username, basically, is an all-lowercase version of the original username (because some people are too lazy to use the shift key where necessary). So:

CODE

<?php
$username = $_POST['username'];
$clean = strtolower($username);
$password = $_POST['password'];
$safe = md5($password);

if (count($_POST) > 0) {
    if (!$username) $error = 'Please fill in your username';
    else if (!$password) $error = 'Please fill in your password';
    else if (!is_valid()) $error = 'It looks like you\'re not a valid user. Try checking your username or password or feel free to <a href="/register/">sign up</a>.';
    else {
        $id = get_id();
        setcookie('user', $username, time() + 31556926, '/');
        setcookie('id', $id, 0, '/');
        header($root . '/account/dashboard/');
    }
}

else $error = '';
?>

is_valid() is in a functions file. I had it set so that it checked the username, password, and hashed password. However, I changed it around so that it'd check the clean username instead.

CODE

<?php
function is_valid() {
    global $clean, $password, $safe;

    if (mysql_num_rows(mysql_query("SELECT ID FROM users WHERE clean_username = '$clean' AND password = '$password' AND safe_password = '$safe'")) > 0) return true;
}
?>

get_id() doesn't really do anything but get the ID from the MySQL database. Anyhow, what I can't understand is why it still generates an error. For example, let's say I have user named User. If I login using User, it works fine. However, if I use user, it generates an error. Now, I'd think that even if user is lowercase, $clean would just generate the same value (user).

Aide?

[fixtatik]

I wouldn't think you need to have a "clean_username" column at all. MySQL non-binary columns (any column containing text that's not a "blob") are case-insensitive by default (meaning "User", "user" and "uSeR" will all match). Setting a username to lowercase is hardly clean, though; by not cleaning the string (stripping slashes and running it through real_escape_string, or disallowing non-alphanumeric characters completely), you're opening up your database to injection.

It also might be a bit counter-productive having a "password" and "safe_password" column. The idea of storing the md5 hash as a password is so if anyone manages to get into your database, it's impossible for them to see the actual password. Instead, they'd see an md5 hash that typically can't be reverse-engineered. Unless, of course, someone was stupid enough to put in a password like "apple", in which case there are dozens of sites out there that have a database of common md5 hashes.

Anyway, by having "password" and "safe_password", an attacker will still be able to see the "password" column if he manages to get in.

Oh...should note something I discovered the other day. In PHP5, an empty array still counts as "1". So, if $_POST is empty, count($_POST) is still giving you a result of "1". Might be better to just use !empty($_POST), or count($_POST) == 2.