Login With Username or Email And Password - Cleaning Up The Reg Page

[sunny_pro]

Folks,

Let us work on this following suggested code:

if ($_SERVER['REQUEST_METHOD'] == "POST") // not really needed since you're checking $_POST
{
    if (isset($_POST["login_username"]) && isset($_POST["login_password"])) {
        $username = trim($_POST["login_username"]); //
        $password = trim($_POST["login_password"]); //
        $hashed_password = password_hash($_POST["login_password"], PASSWORD_DEFAULT);
        $sql = "
SELECT
  ids,
  usernames, 
  passwords, 
  emails, 
  accounts_activations_statuses 
FROM users 
WHERE usernames = ?
  AND passwords = ?
";
        $stmt = mysqli_prepare($conn, $sql);
        mysqli_stmt_bind_param($stmt, 'ss', $username, $hashed_password);
        mysqli_stmt_execute($stmt);
        if (mysqli_stmt_num_rows($stmt)) {
            // found a match, we're good to go...
        } else {
            // whatever you do when user/password not found...
        }
    }
}

Ok. The above was based on the User inputting his Username & Password.
Now, imagine the html login form gave the user a choice to either input his Username or Email and then his Password.
Now, how would you code it ? Where would you change to what ?
tbl column names are:
usernames
emails
passwords

Imagine the html form looks like this:

<!DOCTYPE html>
<html>
<head>
<title><?php $site_name?> Member Login Page</title>
  <meta charset="utf-8">
</head>
<body>
<form method="post" action="">
	<h3><?= $site_name ?> Member Login Form</h3>
	<fieldset>
		<label for="login_name">Username/Email:</label>
		<input type="text" name="login_username_or_email" id="login_name" value="<?php if(isset($_COOKIE["login_username_or_email"])) echo $_COOKIE["login_username_or_email"]; ?>"</center>
		<br>
		<label for="login_pass">Password:</label>
		<input type="password" name="login_password" id="login_pass" value="<?php if(isset($_COOKIE["login_password"])) echo $_COOKIE["login_password"]; ?>"></center>
	</fieldset>
	<div class="submitsAndHiddens">
		<label for="login_remember">Remember Login Details:</label>
		<input type="checkbox" name="login_remember" />
		<br>
		<button type="submit">Login</button>
		<br>
		<a href="login_password_reset.php">Forgot your Password ? Reset it here!</a>
		<br>
		<a href="register.php">Register here!</a>
	</div>
</form>

</body>
</html>

On the form, I have not quite got the cookie thing ("Remember Me" feature sorted).

Another code I was suggested is the following but it is in pdo and my few pages of codes are in mysqli procedural style.
Hence, I need help converting this from pdo to mysqli procedural style.

if (
	array_key_exists('login_username_or_email', $_POST) &&
	array_key_exists('login_password'], $_POST)
) {

	// don't bother trimming, they can't enter it right, don't let them log in!

	$stmt = $conn->prepare('
		SELECT ids, usernames, passwords, emails, accounts_activations_statuses
		FROM users
		WHERE ' . (
			strpos($usernameOrEmail, '@') === false) ? 'usernames' : 'emails'
		) . ' = ?
	');
	$stmt->bind_param('s', $_POST['login_username_or_email']);
	$stmt->execute();
	$stmt->bind_result(
		$db_id, $db_username, $db_password, $db_email,
		$db_account_activation_status
	);
	
	if (
		$stmt->fetch() &&
		password_verify($_POST['login_password'], $db_password)
	) {
		echo '
			<p>Login Successful</p>
			<dl>
				<dt>User Id</dt>
				<dd>', $db_id, '</dd>
				<dt>E-Mail</dt>
				<dd>', $db_email, '</dd>
				<dt>Username</dt>
				<dd>', $db_username, '</dd>
				<dt>Activation Stats</dt>
				<dd>', $db_account_activation_status, '</dd>
			</dl>
		';
	} else echo '<p>Invalid username or password</p>';	
	$stmt->close();
	
} else echo '<p>Missing username or password</p>';

I'd appreciate your own suggested code sample aswell but make sure it is in: mysqli procedural style.
This will be a good learning curve for newbies from this forum. :clap:

 

[Rob Whisonant]

If I offered them the option of entering an email or username... I would test what they entered to see if it appears to be an email address. If it does, attempt to lookup the users username using the email address AND PASSWORD entered. If not found, assume it is a username and not an email address and try to log them in using the username and password.

To test the input and see if it appears it is an email address I would use a function like the one below.

function valid_email($email) {
    if(preg_match('/^([0-9,a-z,A-Z]+)([.,_,-]([0-9,a-z,A-Z]+))*[@]([0-9,a-z,A-Z]+)([.,_,-]([0-9,a-z,A-Z]+))*[.]([0-9,a-z,A-Z]){2}([0-9,a-z,A-Z])*$/',$email)) {
        return TRUE;
    } else {
        return FALSE;
    }
}

 

[sunny_pro]

Thank you very much Mod Rob!

You know other in other forums suggest I use regex but yet again they never provide sample or I reckon many don't know the regex.
I will mention your sample on other forum and link back to this thread. Hopefully, a lot of newbies would flock this way to learn more regex.
In the meanwhile since I am a little weak on php, do you mind adding your regex code on my following code so that I start getting an idea (and any future newbies too) how regex fits into my code ? hug:

You will notice that, I have a few questions on my comments where I show confusion on how to proceed forward.
At one place, in the comments, I will ask which 1 of the following 2 I should use which will suit the context of my code well.
I commented-out the one that I personally thought did not fit into my codes' context. But, I need your professional opinion.

//$result = mysqli_stmt_get_result($stmt); //Use either this line (if you need to get all data of the array without associating them to variables like you do with mysqli_stmt_bind_result), or ...

$result = mysqli_stmt_bind_result($stmt, $db_id, $db_username, $db_password, $db_email, $db_account_activation_status); // ... this line. But not both.

At one point, I was not sure which 1 of the following 3 to use. I commented-out the 2 that I personally thought did not fit in to my codes' context. But I need your professional opinion here too.

$row = mysqli_stmt_fetch($stmt);
//$row = mysqli_fetch_array($query, MYSQLI_ASSOC);
//$row = mysqli_fetch_array($result, MYSQLI_ASSOC);

<?php
 
/*
ERROR HANDLING
*/
declare(strict_types=1);
ini_set('display_errors', '1');
ini_set('display_startup_errors', '1');
error_reporting(E_ALL);
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
 
include 'config.php';
 
// check if user is already logged in
if (is_logged() === true) 
{
	//Redirect user to homepage page after 5 seconds.
	header("refresh:2;url=home.php");
	exit; //
}


if ($_SERVER['REQUEST_METHOD'] == "POST")
{ 
	if (isset($_POST["login_username_or_email"]) && isset($_POST["login_password"]))
	{
		$username_or_email = trim($_POST["login_username_or_email"]); //
		$password = $_POST["login_password"];		
         
		//Select Username or Email to check against Mysql DB if they are already registered or not.
		$stmt = mysqli_stmt_init($conn);
		
        if(strpos("$username_or_email", "@") == true)
		{
			$email = $username_or_email;
			$username = "";
			
			$query = "SELECT ids, usernames, passwords, emails, accounts_activations_statuses FROM users WHERE emails = ?";
			$stmt = mysqli_prepare($conn, $query);			
			mysqli_stmt_bind_param($stmt, 's', $email);
			mysqli_stmt_execute($stmt);
		    //$result = mysqli_stmt_get_result($stmt); //Use either this line (if you need to get all data of the array without associating them to variables like you do with mysqli_stmt_bind_result), or ...
			//Note from line below that the variables "$db_username", "$db_account_activation_status" are related to the tbl columns selected on $query ("SELECT ids, usernames, accounts_activations_statuses From users .. WHERE).
			$result = mysqli_stmt_bind_result($stmt, $db_id, $db_username, $db_password, $db_email, $db_account_activation_status); // ... this line. But not both.
		}
		else
		{
			$username = $username_or_email;
			$email = "";
			$query = "SELECT ids, usernames, passwords, emails, accounts_activations_statuses FROM users WHERE usernames = ?";
			$stmt = mysqli_prepare($conn, $query);
			mysqli_stmt_bind_param($stmt, 's', $username);
			mysqli_stmt_execute($stmt);
			//$result = mysqli_stmt_get_result($stmt); //Use either this line (if you need to get all data of the array without associating them to variables like you do with mysqli_stmt_bind_result), or ...
			//Note from line below that the variables "$db_email", "$db_account_activation_status" are related to the tbl columns selected on $query ("SELECT ids, emails, accounts_activations_statuses From users .. WHERE).
			$result = mysqli_stmt_bind_result($stmt, $db_id, $db_username, $db_password, $db_email, $db_account_activation_status); // ... this line. But not both.
		}       	
		
		//Which of the following to do and why that one over others ?
		$row = mysqli_stmt_fetch($stmt);
		//$row = mysqli_fetch_array($query, MYSQLI_ASSOC);
		//$row = mysqli_fetch_array($result, MYSQLI_ASSOC);
		
		mysqli_stmt_close($stmt);
		
		printf("%s (%s)\n",$row["usernames"],$row["passwords"]);
		
		if ($result == false)
		{
			echo "'$result == false' on line 73! IF got triggered on line 73! !<br>";// For debugging purpose!
			exit();
		}
		elseif ($row['accounts_activations_statuses'] == '0')
		{
			{
				echo "You have not activated your account yet! Check your email for instructions on how to activate it. 
				Check your spam folder if you don't find an email from us.";
				exit();
			}
		}
		else
		{
			echo "'$result == true' on line 73! Else got triggered on line 86! <br>";// For debugging purpose!
		}
		
		if (password_verify($password, $db_password))		
		{
			echo "IF triggered for password_verify! password_verify ok";
			//If 'Remember Me' check box is checked then set the cookie. 
			//if(!empty($_POST["login_remember"])) // Either use this line ....
			if (isset($_POST['login_remember']) && $_post['login_remember'] == "on") // ...or this line. But not both!
			{
				setcookie("login_username", $username, time()+ (10*365*24*60*60));
			}
			else
			{
				//If Cookie is available then use it to auto log user into his/her account!
				if (isset($_COOKIE['login_username']))
				{
					setcookie("login_username","","");
				}
			}
			$_SESSION["user"] = $username;
			header("location:home.php?user=$username");				
		}
		else
		{
			echo "Else got triggered on line 111: Incorrect User Credentials ! 'password_verify = FALSE';<br>";// For debugging purpose!
			exit();
		}
	}
}
	
?>

<!DOCTYPE html>
<html>
<head>
<title><?php $site_name?> Member Login Page</title>
  <meta charset="utf-8">
</head>
<body>
<form method="post" action="">
	<h3><?= $site_name ?> Member Login Form</h3>
	<fieldset>
		<label for="login_name">Username/Email:</label>
		<input type="text" name="login_username_or_email" id="login_name" value="<?php if(isset($_COOKIE["login_username_or_email"])) echo $_COOKIE["login_username_or_email"]; ?>"</center>
		<br>
		<label for="login_pass">Password:</label>
		<input type="password" name="login_password" id="login_pass" value="<?php if(isset($_COOKIE["login_password"])) echo $_COOKIE["login_password"]; ?>"></center>
	</fieldset>
	<div class="submitsAndHiddens">
		<label for="login_remember">Remember Login Details:</label>
		<input type="checkbox" name="login_remember" />
		<br>
		<button type="submit">Login</button>
		<br>
		<a href="login_password_reset.php">Forgot your Password ? Reset it here!</a>
		<br>
		<a href="register.php">Register here!</a>
	</div>
</form>

</body>
</html>

Finally, do you mind adding the cookie section so that when the user checks the "Remember Me" checkbox then the cookie gets set to auto login the user when next time they visit the login.php page or the page this php code is running on.

Even though I have read on how to use the following, I still get confused a little and when you got tonnes of lines of codes you tend to get a little puzzled. Your input would be helpful and would remove any doubts from my mind.

mysqli_fetch_array
mysqli_stmt_get_result($stmt)
mysqli_stmt_bind_result($stmt)
cookies

You know how it is. Reading & learning is one thing and seeing in practice how it is done in a project, is another thing. And it is called: Work Experience.

 

[sunny_pro]

I'd appreciate any input by anyone to my last post.

Thanks!