Email or use the login name to log on

I would like to ask if I have a signature bit called email and passwrod {code ...} the above is my logon authorization method. if the user attempts to access the email or password pair, the logon is successful: {code ...} however, if the username and password used by the user for login are also consistent, the user can also log on to {code ...} only the above signature method is... I 'd like to ask if I have a register called email and passwrod.

$email = $_POST['email'];$password = $_POST['password'];$login     = mysql_query("SELECT * FROM `users`JOIN `users_profile` USING (id)WHERE `email` = '".$email."' AND `password` = '".$password."' OR `username` = '".$email."' AND `password` = '".$password."'

The above is my logon authorization method
The login is successful by using the email or password pair provided by the hypothetical user:

`email` = '".$email."' AND `password` = '".$password."' 

However, if the username and password used by the user for login are also consistent

`username` = '".$email."' AND `password` = '".$password."'

Only the above authentication method can be used to allow login by email and password.
If username and password are logged in
Make sure to JOIN users_profile and use id.
Where is the problem?

Reply content:

I 'd like to ask if I have a register called email and passwrod.

$email = $_POST['email'];$password = $_POST['password'];$login     = mysql_query("SELECT * FROM `users`JOIN `users_profile` USING (id)WHERE `email` = '".$email."' AND `password` = '".$password."' OR `username` = '".$email."' AND `password` = '".$password."'

The above is my logon authorization method
The login is successful by using the email or password pair provided by the hypothetical user:

`email` = '".$email."' AND `password` = '".$password."' 

However, if the username and password used by the user for login are also consistent

`username` = '".$email."' AND `password` = '".$password."'

Only the above authentication method can be used to allow login by email and password.
If username and password are logged in
Make sure to JOIN users_profile and use id.
Where is the problem?

UseORNote the brackets.

SELECT * FROM `users`JOIN `users_profile` USING (id)WHERE (`email` = '".$email."' AND `password` = '".$password."') OR (`username` = '".$email."' AND `password` = '".$password."')

However, this SQL statement is not recommended.

You can use regular expressions in the code to determine whether the user entered an email or username. if the user entered an email, use the email field for query; otherwise, use the username field.

References: http://tool.oschina.net/regex #

First,Your code can be easily injected with SQL.Therefore, use mysqli at least. I strongly recommend PDO.

Then, my personal idea is to assume that the form on the front-end page has an input similar to this:

Here we usename="login"To replaceemailOrusernameAnd then:

$ Field = filter_var ($ _ POST ['login'], FILTER_VALIDATE_EMAIL )? 'Email ': 'username'; // $ field here is your signature bit (translated as a field here)

Then the SQL statement is like this:

$email = $_POST['email'];WHERE `".$field."` = '".$email."'

I once again stressed that your writing is dangerous.

Reference: http://php.net/manual/en/func...