0

I'm using the Etano open source script which I try to contribute to. The script uses the username to login but would like to have it so that a user can choose either their username or email to login. Any help would be much appreciated.

The database table for user accounts is dsb_user_accounts and is structured like this:

database table structure

The php code for the login is as follows:

if ($_SERVER['REQUEST_METHOD']=='POST') {
    $user=strtolower(sanitize_and_format_gpc($_POST,'user',TYPE_STRING,$__field2format[FIELD_TEXTFIELD],''));
    $pass=sanitize_and_format_gpc($_POST,'pass',TYPE_STRING,$__field2format[FIELD_TEXTFIELD],'');
    if (!empty($user) && !empty($pass)) {
        $log['level']='login';
        $log['user_id']=!empty($_SESSION[_LICENSE_KEY_]['user']['user_id']['email']) ? $_SESSION[_LICENSE_KEY_]['user']['user_id'] : 0;
        $log['sess']=session_id();
        $log['user']=$user;
        $log['membership']=$_SESSION[_LICENSE_KEY_]['user']['membership'];
        $log['ip']=sprintf('%u',ip2long($_SERVER['REMOTE_ADDR']));
        log_user_action($log);
        rate_limiter($log);
        $query="SELECT a.`".USER_ACCOUNT_ID."` as `user_id`,b.`_user` as `user`,a.`status`,a.`membership`,UNIX_TIMESTAMP(a.`last_activity`) as `last_activity`,a.`email`,b.`status` as `pstat` FROM `".USER_ACCOUNTS_TABLE."` a LEFT JOIN `{$dbtable_prefix}user_profiles` b ON a.`".USER_ACCOUNT_ID."`=b.`fk_user_id` WHERE a.`".USER_ACCOUNT_USER."`='$user' IN (user, email) AND a.`".USER_ACCOUNT_PASS."`=".PASSWORD_ENC_FUNC."('$pass')";
        if (!($res=@mysql_query($query))) {trigger_error(mysql_error(),E_USER_ERROR);}

I've added the "IN (user, email)" part which does allow a login with username or email, however when you login with an email it logs in the wrong user.

Don G.
  • 1
  • 2
    If you're writing new code, **_please_ don't use the `mysql_*` functions**. They are old and broken, were deprecated in PHP 5.5, and completely removed in PHP 7.0 (which is so old it no longer even receives active support). Use [`PDO`](https://secure.php.net/manual/en/book.pdo.php) or [`mysqli_*`](https://secure.php.net/manual/en/book.mysqli.php) with _prepared statements_ and _parameter binding_ instead. See http://stackoverflow.com/q/12859942/354577 for details. – ChrisGPT was on strike Mar 30 '18 at 16:21
  • this `WHERE a.".USER_ACCOUNT_USER."='$user' IN (user, email)` is wrong. – Jeff Mar 30 '18 at 16:24
  • 1
    ^ I'm actually shocked that doesn't throw an error, but I verified that it doesn't. But it definitely doesn't do whatever OP is expecting it to do either. – Patrick Q Mar 30 '18 at 16:25
  • you want `where (user=$user OR email=$email)`. But you should re-write that anyway to prepared statements, as @Chris said. – Jeff Mar 30 '18 at 16:25

0 Answers0