Are there any security issues to avoid when providing a email-or-username-can-act-as-username login

Posted by Tchalvak on Stack Overflow See other posts from Stack Overflow or by Tchalvak
Published on 2010-05-23T05:23:41Z Indexed on 2010/05/23 5:30 UTC
Read the original article Hit count: 262

Filed under:
|
|

I am in the process of moving from a "username/password" system to one that uses email for login. I don't think that there's any horrible problem with allowing either email or username for login, and I remember seeing sites that I consider somewhat respectable doing it as well, but I'd like to be aware of any major security flaws that I may be introducing.

More specifically, here is the pertinent function (the query_row function parameterizes the sql).

function authenticate($p_user, $p_pass) {
    $user        = (string)$p_user;
    $pass        = (string)$p_pass;
    $returnValue = false;

    if ($user != '' && $pass != '') {
        // Allow login via username or email.
        $sql = "SELECT account_id, account_identity, uname, player_id 
            FROM accounts join account_players on account_id=_account_id join players on player_id = _player_id 
            WHERE lower(account_identity) = lower(:login) OR lower(uname) = lower(:login) AND phash = crypt(:pass, phash)";
        $returnValue = query_row($sql, array(':login'=>$user, ':pass'=>$pass));

    }
    return $returnValue;
}

Notably, I have added the WHERE lower(account_identity) = lower(:login) OR lower(uname) = lower(:login) ...etc section to allow graceful backwards compatibility for users who won't be used to using their email for the login procedure. I'm not completely sure that that OR is safe, though. Are there some ways that I should tighten the security of the php code above?

© Stack Overflow or respective owner

Related posts about php

Related posts about security