0

I am trying to have my login page let users login using either their firstname/email or password/lastname.

So far, it will only allow users to login using email/firstname in the first block & in the second block only password, but not lastname.?

here is what i have so far as php-->

        <?php
ob_start();
session_start();
define("_APP_RUN", true);
require '../AppINIT.php';
$footerTxt = appconfig('footerTxt');
$theme=  appconfig('theme');

if (isset($_POST['login']))
{
$username=_post('username');
$password=_post('password');
$login_type=_post('login_type');

if($username==''){
    conf('login.php','e','Please Enter Your Username');
}

if($password==''){
    conf('login.php','e','Please Enter Your Password');
}

   $password = md5($secret . $password);

    $lastlogin=date("Y-m-d H:i:s");





//added name,lname on 4-30-2016--to be able to login with name
    $stmt = $dbh->prepare("SELECT `id`, `email`, `name`, `lname`, `password`
                        FROM `accounts`
                        WHERE 
                            (
                                `email` = :email AND `password` = :password
                            )
                        OR
                            (
                                `name` = :first_name AND `lname` = :last_name
                            )
                        AND `status` = 'Active'
                        ");

    $stmt->execute(array(':email'=>$username; ':password'=>$password; ':first_name'=>$username; ':last_name'=>$password));


//$stmt->bindParam(':user_id', $username, PDO::PARAM_STR, 12);
    //$stmt->bindParam(':password', $password, PDO::PARAM_STR, 30);
    $stmt->execute();
    $result = $stmt->fetchAll();
    if ($stmt->rowCount() == "1") {
        foreach ($result as $value) {
            $cmd=$value['id'];
            $_SESSION['cid'] = $value['id'];
            $lid = md5(uniqid(rand(), TRUE));
            $_SESSION['lid'] = $lid;
            setcookie("_lid", "$lid", time() + 86400);
            $login=ORM::for_table('accounts')->find_one($cmd);
             $login->online='1';
             $login->lastlogin=$lastlogin;
             $login->save();

            conf('index.php');

        }
    } else {
        conf('login.php', 'e', 'For Security Reasons We Can Not Tell You What Was Entered Wrong!');
    }

}
require ("views/$theme/login.tpl.php");

?>

and here is what i have in html for calling it--->

    <form action="login.php" method="post">
                                   <fieldset>
                                      <label>
                                         <span class="block input-icon input-icon-right">
                                            <input type="text" class="span12" placeholder="Email Or First Name" name="username"/>
                                            <i class="icon-envelope"></i>
                                         </span>
                                      </label>

                                      <label>
                                         <span class="block input-icon input-icon-right">
                                            <input type="password" class="span12" placeholder="<?php echo $Lan['Password']; ?> Or Last Name" name="password" />
                                            <i class="icon-lock"></i>
                                         </span>
                                      </label>

                                      <div class="space"></div>

                                   <div class="clearfix">

 Read Me First! 

                                  <button  class="width-35 pull-right btn btn-small btn-primary" type="submit" name="login">
                                            <i class="icon-key"></i>
                                             <?php echo $Lan['login']; ?>
                                         </button>
                                      </div>
Greg
  • 23
  • 1
  • 1
  • 7
  • 1
    Group the `or` parts. `WHERE (email = :user_id OR name = :user_id) AND (password = :password OR lname = :password)` – chris85 May 04 '16 at 11:43
  • 1
    Why would you let someone login with firstname/lastname that's very unsecure. Besides there is a fair chance firstname and lastname of users are exactly the same.! – Daan May 04 '16 at 11:43
  • it is, but it is secured with both https and a password prompt that has hashed password that changes every day,on our servers – Greg May 04 '16 at 11:44
  • @Greg So every user has to login in with the password which changes every day? That doesn't make it secure. I'm talking about easy impersonation here. – Daan May 04 '16 at 11:45
  • @Daan yes , the prompt box changes every day, as of right now, but i plan on changing this, within the next few weeks. – Greg May 04 '16 at 11:50
  • @chris85 i tried the grouping but that did not seem to work. thanks – Greg May 04 '16 at 11:56
  • You also can't bind the same name twice, give each binding its own name. – chris85 May 04 '16 at 11:56
  • @chris85 can you give a example..thanks – Greg May 04 '16 at 11:57
  • See: http://stackoverflow.com/questions/7603896/php-pdo-prepare-repetitive-variables – chris85 May 04 '16 at 11:59
  • @chris85 thanks i read through it... – Greg May 04 '16 at 12:02
  • `bindParam - Binds a parameter to the specified variable name`, binds 1 variable, not multiples. – chris85 May 04 '16 at 16:20

1 Answers1

0

Greg,

Use the following HTML Form:

<form action="login.php" method="post">
        <fieldset>
            <label>
                <span class="block input-icon input-icon-right">
                    <input type="text" class="span12" placeholder="Email Or First Name" name="username"/>
                </span>
            </label>

            <label>
                <span class="block input-icon input-icon-right">
                    <input type="text" class="span12" placeholder="Password or Last Name" name="password"/>
                </span>
            </label>
        </fieldset>
        <input type="submit" name="Login">
    </form>

Use this in your login.php file:

<?php
        session_start();
        require "path/to/db/file.php";

        $username   =   $_POST['username'];
        $last_name  =   $_POST['password'];
        $password   =   $_POST['password'];

        $password = md5($secret . $password);

        $stmt = $dbh->prepare("SELECT `id`, `email`, `name`, `lname`, `password`
                            FROM `accounts`
                            WHERE 
                                (
                                    `email` = :email AND `password` = :password
                                )
                            OR
                                (
                                    `name` = :first_name AND `lname` = :last_name
                                )
                            AND `status` = 'Active'
                            ");

        $stmt->execute(array(':email'=>$username; ':password'=>$password; ':first_name'=>$username; ':last_name'=>$last_name));

        $records_count  =   $stmt->rowCount();

        if($records_count   == 1){
            //One of the conditions of the $stmt was evaluated as TRUE and query was successful

            echo 'Logged in';

        }
        else{

            var_dump($stmt);

        }
    ?>

If the conditions are met, you should log in successfully. Otherwise, the $stmt will be "dumped" which will help you evaluate your input.

In your original code, you are hashing the password field. The last name is being hashed and that is why the authentication fails when you use last name.

This would solve the issue you have, but pay attention to the comments on your question. This is not a very safe way to log in. Any one that knows the first and last name of a user can log in which kind of negates the whole purpose of a log in script.

MDChaara
  • 318
  • 1
  • 2
  • 15
  • I tried your code, but it is still not taking the ( lname ) in the password block.. can you explain a little bit more on what you are wanting for me to try/do with the different user_ids and password_ids ? thanks – Greg May 04 '16 at 12:33
  • @Greg, why do you need this : `placeholder="` – MDChaara May 04 '16 at 12:35
  • it echos from my lang. coding, it just outputs ( enter password ) to the front facing web – Greg May 04 '16 at 12:36
  • ok. I would execute the statement like this: `$stmt->execute(array(':user_id_1'=>$user_id; ':user_id_2'=>$user_id; ':password_1'=>$password; ':password_2'=>$password_2));` – MDChaara May 04 '16 at 12:38
  • check if the password is actually posted to the form action php file. – MDChaara May 04 '16 at 12:39
  • ok, thanks, i will implement this into my coding and will let you know what happens. thanks – Greg May 04 '16 at 12:40
  • I am verifying it this way: first check if it is username AND password and that both are correct, then check if it is lastname AND email and that both are correct. – MDChaara May 04 '16 at 12:40
  • it works great with ( email and name with password ) but does not work at all with ( name | lname ) – Greg May 04 '16 at 15:55
  • Greg. Let me get this right: Log in with name and password OR last name and email – MDChaara May 04 '16 at 15:57
  • it would be this way.... login with ( name and lname ) and also login with... ( email and password ) – Greg May 04 '16 at 16:01
  • I have updated the answer. Check the statement in the answer. – MDChaara May 04 '16 at 16:03
  • ok .... still some problems .... i will update above in my question on what i have done... – Greg May 04 '16 at 16:16
  • @Greg: I will update the answer. Check it in 5 mins. – MDChaara May 04 '16 at 17:03
  • @Greg: Check the updated code for your HTML form and PHP Login page – MDChaara May 04 '16 at 17:15
  • I will update my code with your coding and , will let you know... thanks. – Greg May 04 '16 at 17:17
  • so i take i can comment out this---> //$stmt->bindParam(':user_id', $username, PDO::PARAM_STR, 12); //$stmt->bindParam(':password', $password, PDO::PARAM_STR, 30); – Greg May 04 '16 at 17:24
  • @Greg: Yes. Some people would recommend that you use bindParam(). The way I execute pdo queries is by using execute() with an array. It works for me and I know how to use it so I write code that way :) – MDChaara May 04 '16 at 17:27
  • i am facing a white page , i will update code above in my question.thanks – Greg May 04 '16 at 17:38
  • @Greg: You are using md5 to hash the password field. It will not work with last name because it is being hashed. – MDChaara May 04 '16 at 17:44
  • @Greg: My pleasure, glad I could help. And welcome to Stackoverflow. – MDChaara May 04 '16 at 17:51
  • i implemented your code, i faced a white screen again... but is there anyway to keep the hash on the password portion and not have a hash on using the last_name? thanks – Greg May 04 '16 at 17:54
  • @Greg: Look at the top part of the code. I have added a new variable `$last_name`, that is the password field without hashing then I call the hashing function. – MDChaara May 04 '16 at 17:59
  • ok... that makes more sense..., thanks... i just got to fix my white screen error and we should be good.. thanks again... – Greg May 04 '16 at 18:13
  • Thank you very much! once again.. i now have it fully working with no issues..Thanks to your help and re-coding. – Greg May 04 '16 at 20:50