I am using Active Record on CodeIgniter. I am confused on which approach I should take. Currently, our login system let's the user to use username/email for the login along with the password. But my current active record, seems to let the user logged in if he choose to use the email + no password.
Right now this is my query:
$this->db->select('id,level,email,username');
$this->db->where('email',$user);
$this->db->or_where('username',$user);
$this->db->where('password',$pass);
$query = $this->db->get('users');
if($query->num_rows>0)
return TRUE;
else
return FALSE;
Sample inputs:
- Username: test | Password: pass | Result: Success
- Username: test | Password: empty | Result: Failed
- Username: test@domain.com | Password: pass | Result: Success
- Username: test@domain.com | Password: empty | Result: Success
The fourth test input must be Failed in result, but it seems that it logs the user even if the password is empty.
The issue is probably that you need to add brackets when mixing AND’s and OR’s in a WHERE clause. Try this:
$this->db->select('id,level,email,username');
$this->db->where("(email = '$user' OR username = '$user')
AND password = '$pass'");
$query = $this->db->get('users');
@RidIculous is right. This is a correct way to do it:
$user = $this->db->escape($user);
$this->db->select('id,level,email,username');
$this->db->where("(email = $user OR username = $user)");
$this->db->where('password', $pass);
$query = $this->db->get('users');
Or a format I prefer (PHP 5+)
$user = $this->db->escape($user);
$query = $this->db
->select('id,level,email,username')
->where("(email = $user OR username = $user)")
->where('password', $pass)
->get('users');
$conditions = '(`username`="'.$username.'" OR `email`="'.$email.' OR `mobile`="'.$mobile.'"') AND `password`="'.$password.'"';
$query = $this->db->get_where('table_name', $conditions);
$result = $query->result();
