Page 1 of 1

Login With Username or Email And Password - Cleaning Up The

Posted: Thu Sep 28, 2017 7:42 pm
by UniqueIdeaMan
Folks,

Let us work on this following suggested code:

Code: Select all

if ($_SERVER['REQUEST_METHOD'] == "POST") // not really needed since you're checking $_POST
{
    if (isset($_POST["login_username"]) && isset($_POST["login_password"])) {
        $username = trim($_POST["login_username"]); //
        $password = trim($_POST["login_password"]); //
        $hashed_password = password_hash($_POST["login_password"], PASSWORD_DEFAULT);
        $sql = "
SELECT
  ids,
  usernames, 
  passwords, 
  emails, 
  accounts_activations_statuses 
FROM users 
WHERE usernames = ?
  AND passwords = ?
";
        $stmt = mysqli_prepare($conn, $sql);
        mysqli_stmt_bind_param($stmt, 'ss', $username, $hashed_password);
        mysqli_stmt_execute($stmt);
        if (mysqli_stmt_num_rows($stmt)) {
            // found a match, we're good to go...
        } else {
            // whatever you do when user/password not found...
        }
    }
}  
Ok. The above was based on the User inputting his Username & Password.
Now, imagine the html login form gave the user a choice to either input his Username or Email and then his Password.
Now, how would you code it ? Where would you change to what ?
tbl column names are:
usernames
emails
passwords

Imagine the html form looks like this:

Code: Select all

<!DOCTYPE html>
<html>
<head>
<title><?php $site_name?> Member Login Page</title>
  <meta charset="utf-8">
</head>
<body>
<form method="post" action="">
	<h3><?= $site_name ?> Member Login Form</h3>
	<fieldset>
		<label for="login_name">Username/Email:</label>
		<input type="text" name="login_username_or_email" id="login_name" value="<?php if(isset($_COOKIE["login_username_or_email"])) echo $_COOKIE["login_username_or_email"]; ?>"</center>
		<br>
		<label for="login_pass">Password:</label>
		<input type="password" name="login_password" id="login_pass" value="<?php if(isset($_COOKIE["login_password"])) echo $_COOKIE["login_password"]; ?>"></center>
	</fieldset>
	<div class="submitsAndHiddens">
		<label for="login_remember">Remember Login Details:</label>
		<input type="checkbox" name="login_remember" />
		<br>
		<button type="submit">Login</button>
		<br>
		<a href="login_password_reset.php">Forgot your Password ? Reset it here!</a>
		<br>
		<a href="register.php">Register here!</a>
	</div>
</form>

</body>
</html>
On the form, I have not quite got the cookie thing ("Remember Me" feature sorted).

Another code I was suggested is the following but it is in pdo and my few pages of codes are in mysqli procedural style.
Hence, I need help converting this from pdo to mysqli procedural style.

Code: Select all

if (
	array_key_exists('login_username_or_email', $_POST) &&
	array_key_exists('login_password'], $_POST)
) {

	// don't bother trimming, they can't enter it right, don't let them log in!

	$stmt = $conn->prepare('
		SELECT ids, usernames, passwords, emails, accounts_activations_statuses
		FROM users
		WHERE ' . (
			strpos($usernameOrEmail, '@') === false) ? 'usernames' : 'emails'
		) . ' = ?
	');
	$stmt->bind_param('s', $_POST['login_username_or_email']);
	$stmt->execute();
	$stmt->bind_result(
		$db_id, $db_username, $db_password, $db_email,
		$db_account_activation_status
	);
	
	if (
		$stmt->fetch() &&
		password_verify($_POST['login_password'], $db_password)
	) {
		echo '
			<p>Login Successful</p>
			<dl>
				<dt>User Id</dt>
				<dd>', $db_id, '</dd>
				<dt>E-Mail</dt>
				<dd>', $db_email, '</dd>
				<dt>Username</dt>
				<dd>', $db_username, '</dd>
				<dt>Activation Stats</dt>
				<dd>', $db_account_activation_status, '</dd>
			</dl>
		';
	} else echo '<p>Invalid username or password</p>';	
	$stmt->close();
	
} else echo '<p>Missing username or password</p>';
I'd appreciate your own suggested code sample aswell but make sure it is in: mysqli procedural style.
This will be a good learning curve for newbies from this forum.

Re: Login With Username or Email And Password - Cleaning Up

Posted: Fri Sep 29, 2017 5:05 am
by Celauran
UniqueIdeaMan wrote:Ok. The above was based on the User inputting his Username & Password.
Now, imagine the html login form gave the user a choice to either input his Username or Email and then his Password.
Now, how would you code it ? Where would you change to what ?
tbl column names are:
usernames
emails
passwords
Remove password from where clause. You're storing the password hashed, then you're hashing it again -- with a different salt -- before querying. Those hashes won't match. As for allowing username or email, why not just use an OR in your WHERE statement?

Code: Select all

SELECT
  ids,
  usernames,
  passwords,
  emails,
  accounts_activations_statuses
FROM users
WHERE usernames = ? OR emails = ?
You'll get back rows matching the provided username or email and can then pass the hashed password return by the query and the clear text password provided by the user to password_verify.

Re: Login With Username or Email And Password - Cleaning Up

Posted: Sat Sep 30, 2017 8:37 pm
by UniqueIdeaMan
Thanks Celeraun,

You are really valuable. You gave me my answer in one post. Look how hard I tried here to get my answer:
https://forums.phpfreaks.com/topic/3049 ... exception/
Look how many attempts I made!!!

Re: Login With Username or Email And Password - Cleaning Up

Posted: Tue Oct 03, 2017 5:32 pm
by Vegan
you might want to add last_on as a filed so you can clean up dead accounts if desired

Re: Login With Username or Email And Password - Cleaning Up

Posted: Wed Oct 04, 2017 8:50 am
by UniqueIdeaMan
Vegan wrote:you might want to add last_on as a filed so you can clean up dead accounts if desired
last_on ? I'm confused. Care to show a snippet ?