Are there any security issues to avoid when providing a email-or-username-can-act-as-username login
Posted
by Tchalvak
on Stack Overflow
See other posts from Stack Overflow
or by Tchalvak
Published on 2010-05-23T05:23:41Z
Indexed on
2010/05/23
5:30 UTC
Read the original article
Hit count: 262
I am in the process of moving from a "username/password" system to one that uses email for login. I don't think that there's any horrible problem with allowing either email or username for login, and I remember seeing sites that I consider somewhat respectable doing it as well, but I'd like to be aware of any major security flaws that I may be introducing.
More specifically, here is the pertinent function (the query_row function parameterizes the sql).
function authenticate($p_user, $p_pass) {
$user = (string)$p_user;
$pass = (string)$p_pass;
$returnValue = false;
if ($user != '' && $pass != '') {
// Allow login via username or email.
$sql = "SELECT account_id, account_identity, uname, player_id
FROM accounts join account_players on account_id=_account_id join players on player_id = _player_id
WHERE lower(account_identity) = lower(:login) OR lower(uname) = lower(:login) AND phash = crypt(:pass, phash)";
$returnValue = query_row($sql, array(':login'=>$user, ':pass'=>$pass));
}
return $returnValue;
}
Notably, I have added the WHERE lower(account_identity) = lower(:login) OR lower(uname) = lower(:login) ...etc
section to allow graceful backwards compatibility for users who won't be used to using their email for the login procedure. I'm not completely sure that that OR
is safe, though. Are there some ways that I should tighten the security of the php code above?
© Stack Overflow or respective owner