Are there any security issues to avoid when providing a email-or-username-can-act-as-username login
- by Tchalvak
I am in the process of moving from a "username/password" system to one that uses email for login. I don't think that there's any horrible problem with allowing either email or username for login, and I remember seeing sites that I consider somewhat respectable doing it as well, but I'd like to be aware of any major security flaws that I may be introducing.
More specifically, here is the pertinent function (the query_row function parameterizes the sql).
function authenticate($p_user, $p_pass) {
$user = (string)$p_user;
$pass = (string)$p_pass;
$returnValue = false;
if ($user != '' && $pass != '') {
// Allow login via username or email.
$sql = "SELECT account_id, account_identity, uname, player_id
FROM accounts join account_players on account_id=_account_id join players on player_id = _player_id
WHERE lower(account_identity) = lower(:login) OR lower(uname) = lower(:login) AND phash = crypt(:pass, phash)";
$returnValue = query_row($sql, array(':login'=>$user, ':pass'=>$pass));
}
return $returnValue;
}
Notably, I have added the WHERE lower(account_identity) = lower(:login) OR lower(uname) = lower(:login) ...etc section to allow graceful backwards compatibility for users who won't be used to using their email for the login procedure. I'm not completely sure that that OR is safe, though. Are there some ways that I should tighten the security of the php code above?