Are you asking for both username and email? Is that followed by a password? If so, that seems a bit redundant. Finding username and email is not that difficult for scrappers, but finding the password is a bit more difficult. I'd treat the user name and the email as the login identity matched to a password (hopefully of suitable strength).

Well, my user need to provide 2 things to login.

1. username or email
2. password

username and email are entered in the same text box field. just like twitter.com . In the back end, as of now, i check for the username first and then email. This means my SQL code runs through all customer's username first and if not found then, email.

I was thinking of doing a basic search in the data for '@'. If '@' is found i will search email first and if not then username. On the other hand if '@' is not found then I will search for username first and then if not found, search email.

Thanks for replying.

Sounds right... I just tend to keep to the KISS method... I only ask for username or email as the login identity. Then ask for the password... which is what gets them in... based on one or the other, not both. I'd streamline it. Look up KISS method to know what I mean.

Hi there Impact,

I think that substr_count($email, "@"); would work as it would return 1 upon an email address being submitted.

//Return's 1 for valid email address
if(substr_count($email, "@") == "1"){
echo "not email addres format"
}
else{
//process code here
}

//Another version though I dont think this would work :/ Though it might, never tried it myself this way
if(!substr_count($email, "@")){
echo "not email addres format"
}
else{
//process code here
}

I find this the best method:-

if(!preg_match("/^([a-z]|[0-9]|\.|-|_)+@([a-z]|[0-9]|\.|-|_)+\.([a-z]|[0-9]){2,4}$/i", $email)){
echo "invalid email address";
}


Though I agree with tangor, surely if you are doing validation username/password combo with a captcha option would be best, as sometime's people dont want to use their email address's for signing upto things for fear of spam increases.

Also doing password's ensure that you are CaSe SeNsEtIvE when checking ;-p

Cheers,
MRb

Typo from my other post:-

//Return's 1 for valid email address format
if(substr_count($email, "@") == "1"){
//process code here
}
else{
echo "not email address format";
}

Got the clause back to front :(

Cheers,
MRb

The simplest method would be to do as you suggest. Assume you get from the user:
(1) account [username OR email address]
(2) password

You don't know if 'account' is a username or email address. Ultimately your problem.

A VERY simple way to do this would be to do something like:

$account = 'fromForm';
$password = 'fromForm';
if (strpos($account,'@')===false)
{
//Account is Username
//Do check on username; etc.
}
else
{
//Account is Email
//Do check on email; etc.
}

In order for this to be effective, you will need to ensure that users are NOT allowed to have usernames with '@'. In my system, I tend to restrict usernames to basic alpha/numeric characters a few symbols (dash, underscore, etc). So I wouldn't find it to be an issue. The reason you cannot allow '@' in this case, is because if a '@' is found, PHP will assume it is an email address and attempt to validate by email address.

This is a VERY simple, effective way to do it.

Once you know it is an email, you can do a REGEX match on the email to verify it is a true email address (as Matthew1980 shows). But I find this unnecessary here. This script/code should be validating a login; it really doesn't matter whether the 'email' is valid or not (as an email address), as long as the email is a valid email address within your database/user system. Of course, you'd be advised to verify it is a real email address when an account is registered/created.

Excellent point:-

In order for this to be effective, you will need to ensure that users are NOT allowed to have usernames with '@'.

For this reason I don't use email's as login info, I tend to stick with the old fashioned username/password combo plus captcha for just making sure that you can read. Aesthetically pleasing too I think.

Cheers,
MRb

^ True

But the idea of "account" and "password" is that it gives user's flexibility. They may remember the username and/or the email. It adds some minor complexity to the login programming, but I think ultimately it is a good idea for a site with "normal" users. I know sometimes I remember the email I used for a site, but not the username (and it wants a username). It is easier to accept both (for the user). And the process of "resetting" an account given you forget a username is often cumbersome.

Frankly, I'd employ this type of scheme on systems I run because most of the users of these systems are faculty and professors who tend to be busy and forgetful of things like usernames/emails. Flexibility could help them. But ultimately I choose not to solely because I want to keep it easier on myself (by not programming the functionality), even though it may make usability easier on the user.


Though I ponder how allowing a username OR an email affects security of login...

Though I ponder how allowing a username OR an email affects security of login...

I should imagine it depends on how public the username is, if the username is used as a screen name where anyone can see it, then allowing E-mail logins shouldn't make it any less secure.

If usernames are kept hidden, with a different screen name, E-mails *may* make it less secure, if people who know the user try logging in as him/her.

Can't think of any other way it could affect security.

Thank you all for replying to this post.

if(substr_count($email, "@") == "1"){

Matthew i would compare a number as a number :) if nothing else, it looks gorgeous atleast ;)

if(substr_count($email, "@") == 1){