I have just found a pretty major vulnerability in my code while doing some testing,

Basically if my username was “admin” and password was say “12345”…
and a user joined with and chose the name “Admin” and the same password “12345”
when he/she goes to login they will be in my account on the website, As you can imagine I have created quite a flaw, as this would affect every potential user on the site.

So, my question is what can I change in this statement to make it check for an EXACT match.

   WHERE login_name ='$user' AND user_password ='$pass' LIMIT 1";  

Heres the login_process.php file

    <?php
    require_once("includes/session.php");
    $connection = mysql_connect("localhost", "user", "password");
    if(!$connection)
    {
        die("Database connection failed: " . mysql_error());
    }
    $db_select = mysql_select_db("game", $connection);
    if(!$db_select)
    {
        die("Database selection failed: " . mysql_error());
    }
    $user = mysql_real_escape_string($_POST['username']);
    $pass = mysql_real_escape_string($_POST['password']);
    $pass = sha1($pass);

    // Need to make a change to the below query, as it doesn't match for case sensitivity.

    $query = "SELECT user_id, user_name, user_level FROM users WHERE login_name ='$user' AND user_password ='$pass' LIMIT 1";
    $result=mysql_query($query);
    if(mysql_num_rows($result) == 1)
    {
        $found_user = mysql_fetch_array($result);
        $_SESSION['user_id'] = $found_user['user_id'];
        $_SESSION['user_name'] = $found_user['user_name'];
        $_SESSION['user_level'] = $found_user['user_level'];
        header("Location: index.php");
    }
    else 
    {
        echo "The username or password you entered was incorrect. <br/> Please click <a href='login.php'>Here</a> to try again.";
    }
    ?>