How to add the ability to login with username or email for login?

[Jedijon]

How to add the ability to login with username or email for login?

 

<?php 
ob_start();
include('../header.php');
include_once("../db_connect.php");
session_start();
if(isset($_SESSION['user_id'])!="") {
	header("Location: ../dashboard");
}
if (isset($_POST['login'])) {
	$email = mysqli_real_escape_string($conn, $_POST['email']);
	$password = mysqli_real_escape_string($conn, $_POST['password']);
	$result = mysqli_query($conn, "SELECT * FROM users WHERE email = '" . $email. "' and pass = '" . md5($password). "'");
	if ($row = mysqli_fetch_array($result)) {
		$_SESSION['user_id'] = $row['uid'];
		$_SESSION['user_name'] = $row['user'];	
		$_SESSION['user_email'] = $row['email'];		
		header("Location: ../dashboard");
	} else {
		$error_message = "Incorrect Email or Password!!!";
	}
}
?>

 

[requinix]

Don't allow @s in usernames, then you can easily check what the value is supposed to represent and decide which column to check against.

This is better than a simple "email = value or username = value" because... well, I don't know if I have concrete reasons that can be written out, but to me it feels better. Instinct.

[maxxd]

I have to disagree with @requinix about this - I find limiting the characters in usernames ickier than checking against both the username and email addresses. There should only be one instance of the email and the username in the database - remember, that's one instance each and not a combination of both. So if either exists in the database and the password matches, there's a not insubstantial assurance that it's the correct registered user.

[requinix]

Fair enough. I get the practicality of saying either/or, it's easy enough and doesn't require a variety of if/else checks. But usernames should be filtered to some degree - no "admin" or "administrator" or other misleading terms that may be relevant to the application (eg, "moderator", "author"), and allowing anything Unicode is funny when you consider emojis but scary if it also allows non-printables.

[maxxd]

Excellent point about unicode and non-printable characters. And while I do agree there should be at least some sort of warning to people that obvious usernames should be avoided, I'd also say the user roles should be relevant to the application, not user names. So 'admin' , 'moderator', etc. are perfectly acceptable user roles and user names because the one has no bearing on the other.

That being said, there's nothing at all wrong with dictating which should be used for logging in - and doing so minimizes chances of logic errors during the process.

[Barand]

Even with unique constraints on username and on email, without restrictions on usernames you could potentially have this situation

+------------+---------------+-----------------+------------------+
| Emp ID     | Username      | Email           | Password         |
+------------+---------------+-----------------+------------------+
|     1      | joe@abc.com   | bloggsj@abc.com | s3cr3t           |
|     2      | jsmith@abc.com| joe@abc.com     | s3cr3t           |
+------------+---------------+-----------------+------------------+

Your query would then find both employees

 

Also, many companies use the convention that an employee's email address is

<username> @ <domainname>

The presence of @ in the username would render the address invalid.

Edited March 9, 2019 by Barand
spulling error

[maxxd]

That is true...

[Jedijon]

How would you do this?