Jump to content

How to add the ability to login with username or email for login?


Jedijon

Recommended Posts

How to add the ability to login with username or email for login?

 

<?php 
ob_start();
include('../header.php');
include_once("../db_connect.php");
session_start();
if(isset($_SESSION['user_id'])!="") {
	header("Location: ../dashboard");
}
if (isset($_POST['login'])) {
	$email = mysqli_real_escape_string($conn, $_POST['email']);
	$password = mysqli_real_escape_string($conn, $_POST['password']);
	$result = mysqli_query($conn, "SELECT * FROM users WHERE email = '" . $email. "' and pass = '" . md5($password). "'");
	if ($row = mysqli_fetch_array($result)) {
		$_SESSION['user_id'] = $row['uid'];
		$_SESSION['user_name'] = $row['user'];	
		$_SESSION['user_email'] = $row['email'];		
		header("Location: ../dashboard");
	} else {
		$error_message = "Incorrect Email or Password!!!";
	}
}
?>

 

Link to comment
Share on other sites

Don't allow @s in usernames, then you can easily check what the value is supposed to represent and decide which column to check against.

This is better than a simple "email = value or username = value" because... well, I don't know if I have concrete reasons that can be written out, but to me it feels better. Instinct.

Link to comment
Share on other sites

I have to disagree with @requinix about this - I find limiting the characters in usernames ickier than checking against both the username and email addresses. There should only be one instance of the email and the username in the database - remember, that's one instance each and not a combination of both. So if either exists in the database and the password matches, there's a not insubstantial assurance that it's the correct registered user.

Link to comment
Share on other sites

Fair enough. I get the practicality of saying either/or, it's easy enough and doesn't require a variety of if/else checks. But usernames should be filtered to some degree - no "admin" or "administrator" or other misleading terms that may be relevant to the application (eg, "moderator", "author"), and allowing anything Unicode is funny when you consider emojis but scary if it also allows non-printables.

Link to comment
Share on other sites

Excellent point about unicode and non-printable characters. And while I do agree there should be at least some sort of warning to people that obvious usernames should be avoided, I'd also say the user roles should be relevant to the application, not user names. So 'admin' , 'moderator', etc. are perfectly acceptable user roles and user names because the one has no bearing on the other.

That being said, there's nothing at all wrong with dictating which should be used for logging in - and doing so minimizes chances of logic errors during the process.

Link to comment
Share on other sites

Even with unique constraints on username and on email, without restrictions on usernames you could potentially have this situation

+------------+---------------+-----------------+------------------+
| Emp ID     | Username      | Email           | Password         |
+------------+---------------+-----------------+------------------+
|     1      | joe@abc.com   | bloggsj@abc.com | s3cr3t           |
|     2      | jsmith@abc.com| joe@abc.com     | s3cr3t           |
+------------+---------------+-----------------+------------------+


Your query would then find both employees

 

Also, many companies use the convention that an employee's email address is

<username> @ <domainname>

The presence of @ in the username would render the address invalid.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.