Jump to content
Jedijon

How to add the ability to login with username or email for login?

Recommended Posts

How to add the ability to login with username or email for login?

 

<?php 
ob_start();
include('../header.php');
include_once("../db_connect.php");
session_start();
if(isset($_SESSION['user_id'])!="") {
	header("Location: ../dashboard");
}
if (isset($_POST['login'])) {
	$email = mysqli_real_escape_string($conn, $_POST['email']);
	$password = mysqli_real_escape_string($conn, $_POST['password']);
	$result = mysqli_query($conn, "SELECT * FROM users WHERE email = '" . $email. "' and pass = '" . md5($password). "'");
	if ($row = mysqli_fetch_array($result)) {
		$_SESSION['user_id'] = $row['uid'];
		$_SESSION['user_name'] = $row['user'];	
		$_SESSION['user_email'] = $row['email'];		
		header("Location: ../dashboard");
	} else {
		$error_message = "Incorrect Email or Password!!!";
	}
}
?>

 

Share this post


Link to post
Share on other sites

Don't allow @s in usernames, then you can easily check what the value is supposed to represent and decide which column to check against.

This is better than a simple "email = value or username = value" because... well, I don't know if I have concrete reasons that can be written out, but to me it feels better. Instinct.

Share this post


Link to post
Share on other sites

I have to disagree with @requinix about this - I find limiting the characters in usernames ickier than checking against both the username and email addresses. There should only be one instance of the email and the username in the database - remember, that's one instance each and not a combination of both. So if either exists in the database and the password matches, there's a not insubstantial assurance that it's the correct registered user.

Share this post


Link to post
Share on other sites

Fair enough. I get the practicality of saying either/or, it's easy enough and doesn't require a variety of if/else checks. But usernames should be filtered to some degree - no "admin" or "administrator" or other misleading terms that may be relevant to the application (eg, "moderator", "author"), and allowing anything Unicode is funny when you consider emojis but scary if it also allows non-printables.

Share this post


Link to post
Share on other sites

Excellent point about unicode and non-printable characters. And while I do agree there should be at least some sort of warning to people that obvious usernames should be avoided, I'd also say the user roles should be relevant to the application, not user names. So 'admin' , 'moderator', etc. are perfectly acceptable user roles and user names because the one has no bearing on the other.

That being said, there's nothing at all wrong with dictating which should be used for logging in - and doing so minimizes chances of logic errors during the process.

Share this post


Link to post
Share on other sites
Posted (edited)

Even with unique constraints on username and on email, without restrictions on usernames you could potentially have this situation

+------------+---------------+-----------------+------------------+
| Emp ID     | Username      | Email           | Password         |
+------------+---------------+-----------------+------------------+
|     1      | joe@abc.com   | bloggsj@abc.com | s3cr3t           |
|     2      | jsmith@abc.com| joe@abc.com     | s3cr3t           |
+------------+---------------+-----------------+------------------+


Your query would then find both employees

 

Also, many companies use the convention that an employee's email address is

<username> @ <domainname>

The presence of @ in the username would render the address invalid.

Edited by Barand
spulling error

Share this post


Link to post
Share on other sites

That is true...

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.