@@ -39,10 +39,16 @@ function find_role($login, $password, $i_am_admin = False)

   $uid = (int) $login;

   if ($uid == 0)

     $uid = 'NULL';

-  $result = db_query("SELECT passwort AS password, kundenaccount AS `primary`, status, ((SELECT acc.uid FROM system.v_useraccounts AS acc LEFT JOIN system.gruppenzugehoerigkeit USING (uid) LEFT JOIN system.gruppen AS g ON (g.gid=gruppenzugehoerigkeit.gid) WHERE g.name='admin' AND acc.uid=u.uid) IS NOT NULL) AS admin FROM system.v_useraccounts AS u LEFT JOIN system.passwoerter USING(uid) WHERE u.uid={$uid} OR username='{$login}' LIMIT 1;");

+  $result = db_query("SELECT username, passwort AS password, kundenaccount AS `primary`, status, ((SELECT acc.uid FROM system.v_useraccounts AS acc LEFT JOIN system.gruppenzugehoerigkeit USING (uid) LEFT JOIN system.gruppen AS g ON (g.gid=gruppenzugehoerigkeit.gid) WHERE g.name='admin' AND acc.uid=u.uid) IS NOT NULL) AS admin FROM system.v_useraccounts AS u LEFT JOIN system.passwoerter USING(uid) WHERE u.uid={$uid} OR username='{$login}' LIMIT 1;");

   if (@mysql_num_rows($result) > 0)

   {

     $entry = mysql_fetch_object($result);

+    if ($entry->username != $login) {

+      // MySQL matched (warum auch immer) ohne Beachtung der Schreibweise. Wir wollen aber case-sensitive sein.

+      logger(LOG_WARNING, "session/checkuser", "login", "denying login to wrong cased username »{$login}«.");

+      warning('Beachten Sie bei der Eingabe Ihrer Zugangsdaten bitte die Groß- und Kleinschreibung.');

+      return NULL;  

+    }

     $db_password = $entry->password;

     $hash = crypt($password, $db_password);

     if (($entry->status == 0 && $hash == $db_password) || $i_am_admin)