--- mod_auth_mysql.c.orig	2005-06-22 18:17:45.000000000 +0200
+++ mod_auth_mysql.c	2007-02-24 14:53:03.000000000 +0100
@@ -858,7 +858,7 @@
 
 /* checks plain text passwords */
 static short pw_plain(POOL * pool, const char * real_pw, const char * sent_pw, const char * salt) {
-  return strcmp(real_pw, sent_pw) == 0;
+  return strcasecmp(real_pw, sent_pw) == 0;
 }
 
 static char * str_format(request_rec * r, char * input) {
@@ -1016,10 +1016,11 @@
  * If we are in NoPasswd mode, returns user name instead.
  * If user or password not found, returns NULL
  */
-static char * get_mysql_pw(request_rec *r, char *user, mysql_auth_config_rec *m, const char *salt_column, const char ** psalt) {
+static char * get_mysql_pw(request_rec *r, char *user, char *passwd, mysql_auth_config_rec *m, const char *salt_column, const char ** psalt) {
   MYSQL_RES *result;
   char *pw = NULL;		/* password retrieved */
   char *sql_safe_user = NULL;
+  char *sql_safe_passwd = NULL;
   int ulen;
   char query[MAX_STRING_LEN];
 
@@ -1040,25 +1041,29 @@
   sql_safe_user = PCALLOC(r->pool, ulen*2+1);
   mysql_escape_string(sql_safe_user,user,ulen);
 
+  ulen = strlen(passwd);
+  sql_safe_passwd = PCALLOC(r->pool, ulen*2+1);
+  mysql_escape_string(sql_safe_passwd,passwd,ulen);
+
   if (salt_column) {	/* If a salt was requested */
     if (m->mysqlUserCondition) {
-      SNPRINTF(query,sizeof(query)-1,"SELECT %s, length(%s), %s FROM %s WHERE %s='%s' AND %s",
+      SNPRINTF(query,sizeof(query)-1,"SELECT %s, length(%s), %s FROM %s WHERE %s LIKE '%s' AND %s LIKE '%s' AND %s",
 		m->mysqlPasswordField, m->mysqlPasswordField, salt_column, m->mysqlpwtable,
-		m->mysqlNameField, sql_safe_user, str_format(r, m->mysqlUserCondition));
+		m->mysqlNameField, sql_safe_user, m->mysqlPasswordField, sql_safe_passwd, str_format(r, m->mysqlUserCondition));
     } else {
-      SNPRINTF(query,sizeof(query)-1,"SELECT %s, length(%s), %s FROM %s WHERE %s='%s'",
+      SNPRINTF(query,sizeof(query)-1,"SELECT %s, length(%s), %s FROM %s WHERE %s LIKE '%s' AND %s LIKE '%s'",
 		m->mysqlPasswordField, m->mysqlPasswordField, salt_column, m->mysqlpwtable,
-		m->mysqlNameField, sql_safe_user);
+		m->mysqlNameField, sql_safe_user, m->mysqlPasswordField, sql_safe_passwd);
     }
   } else {
     if (m->mysqlUserCondition) {
-      SNPRINTF(query,sizeof(query)-1,"SELECT %s, length(%s) FROM %s WHERE %s='%s' AND %s",
+      SNPRINTF(query,sizeof(query)-1,"SELECT %s, length(%s) FROM %s WHERE %s LIKE '%s' AND %s LIKE '%s' AND %s",
 		m->mysqlPasswordField, m->mysqlPasswordField, m->mysqlpwtable,
-		m->mysqlNameField, sql_safe_user, str_format(r, m->mysqlUserCondition));
+		m->mysqlNameField, sql_safe_user, m->mysqlPasswordField, sql_safe_passwd, str_format(r, m->mysqlUserCondition));
     } else {
-      SNPRINTF(query,sizeof(query)-1,"SELECT %s, length(%s) FROM %s WHERE %s='%s'",
+      SNPRINTF(query,sizeof(query)-1,"SELECT %s, length(%s) FROM %s WHERE %s LIKE '%s' AND %s LIKE '%s'",
 		m->mysqlPasswordField, m->mysqlPasswordField, m->mysqlpwtable,
-		m->mysqlNameField, sql_safe_user);
+		m->mysqlNameField, sql_safe_user, m->mysqlPasswordField, sql_safe_passwd);
     }
   }
   if (mysql_query(connection.handle, query) != 0) {
@@ -1220,7 +1225,7 @@
     return DECLINED;
   }
 
-  real_pw = get_mysql_pw(r, user, sec, salt_column, &salt ); /* Get a salt if one was specified */
+  real_pw = get_mysql_pw(r, user, sent_pw, sec, salt_column, &salt ); /* Get a salt if one was specified */
 
   if(!real_pw)
   {