SaucedApples SaucedApples - 5 months ago 17
SQL Question

Login using username or email

I am trying to have my login page let users login using either their username or email address.

So far, it will only allow users to login using email. I need some fresh eyes, I can't find the problem. I've tried removing every mention of logging in with email but still no luck, both username and email field in the table are unique, tried alternating that around. Would anyone help?

Login Form:

<?php
ini_set('display_errors', '1');
require_once '../includes/conn.php';

if($user->is_loggedin()!=""){
$user->redirect('./index.php');
}

if(isset($_POST['login'])){
$username = $_POST['username_email'];
$email = $_POST['username_email'];
$password = $_POST['password'];

if($user->login($usrename,$email,$password)){
$user->redirect('./index.php');
}else{
$error = "Login details provided do not match out records.<br /><br />";
}
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<title>EpicOwl UK | CMS Admin Panel Login</title>
<meta charset="utf-8">
<link rel="shortcut icon" href="../images/favicon.ico" type="image/x-icon" />
<link rel="stylesheet" type="text/css" href="../css/main.css">
</head>
<body>
<div id="header">
<a href="index.php"><img id="logo" src="../images/logo.png" /></a>
<div id="navigation">
<ul>
<a href="../index.php"><li>Home</li></a>
<a href="../users/profile.php"><li>My Profile</li></a>
<a href="./index.php"><li>Admin Panel</li></a>
</ul>
</div>
</div>
<div id="content">
<form method="post"><br /><br />
<h2>Administrator Login</h2>
<?php
if(isset($error)){
?>
<em><?php echo $error; ?></em>
<?php
}
?>
<input type="text" name="username_email" placeholder="Username/Email" required /><br /><br />
<input type="password" name="password" placeholder="Password" /><br /><br />
<button type="submit" name="login">Login</button><br /><br /><br />
<label>Don't have an account? Why not register one by clicking <a href="./register.php">HERE</a></label><br /><br /><br /><br />
</form>
</div>
<div id="footer">
<p class="copyright">&copy; EpicOwl UK. All Rights Reserved.</p>
</div>
</body>
</html>


Class File:

<?php
ini_set('display_errors', '1');
class USER{
private $db;

function __construct($conn){
$this->db = $conn;
}

public function register($username,$email,$password){
try{
$new_password = password_hash($password, PASSWORD_DEFAULT);

$stmt = $this->db->prepare("INSERT INTO users(username,email,password)VALUES(:username, :email, :password)");

$stmt->bindparam(":username", $username);
$stmt->bindparam(":email", $email);
$stmt->bindparam(":password", $new_password);
$stmt->execute();

return $stmt;
}
catch(PDOException $e){
echo $e->getMessage();
}
}

public function login($username,$email,$password){
try{
$stmt = $this->db->prepare("SELECT * FROM users WHERE username=:username OR email=:email LIMIT 1");
$stmt->execute(array(':username'=>$username, ':email'=>$email));
$userRow=$stmt->fetch(PDO::FETCH_ASSOC);
if($stmt->rowCount() > 0){
if(password_verify($password, $userRow['password'])){
$_SESSION['session'] = $userRow['id'];
return true;
}else{
return false;
}
}
}
catch(PDOException $e){
echo $e->getMessage();
}
}

public function is_loggedin(){
if(isset($_SESSION['session'])){
return true;
}
}

public function redirect($url){
header("Location:$url");
}

public function logout(){
session_destroy();
unset($_SESSION['session']);
return true;
}
}
?>


SQL Table:

-- phpMyAdmin SQL Dump
-- version 4.0.7
-- http://www.phpmyadmin.net
--
-- Host: localhost
-- Generation Time: Jun 19, 2015 at 11:52 AM
-- Server version: 5.5.42
-- PHP Version: 5.3.28

SET SQL_MODE = "NO_AUTO_VALUE_ON_ZERO";
SET time_zone = "+00:00";


/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8 */;

--
-- Database: `cl47-dbuser-1yz`
--

-- --------------------------------------------------------

--
-- Table structure for table `users`
--

CREATE TABLE IF NOT EXISTS `users` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`username` varchar(25) NOT NULL,
`email` varchar(50) NOT NULL,
`password` varchar(60) NOT NULL,
PRIMARY KEY (`id`),
UNIQUE KEY `username` (`username`),
UNIQUE KEY `email` (`email`),
UNIQUE KEY `id` (`id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=2 ;


Registering is fine, username, email & password all insert. Thanks for looking.

Answer

The problem is with this line:

if($user->login($usrename,$email,$password)){
                ^^^^^^^^^

is misspelled and should read as $username that's why it's only letting you use the email to login.

As per your login function:

public function login($username,$email,$password)
                      ^^^^^^^^^

Sidenote:

Make sure that the password column is long enough to accommodate the hash. 60 is sometimes not enough. Increase it to 255 for future use, which is recommended as per the manual on password_hash()

Therefore, it is recommended to store the result in a database column that can expand beyond 60 characters (255 characters would be a good choice).

Also add error_reporting(E_ALL); above ini_set('display_errors', 1);