Home/ Questions/Q 8774981
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-13T18:41:59+00:00

I have codeigniter model like this <?php class Model_Login extends CI_Model{ function __construct(){ parent::__construct();

  • 0

I have codeigniter model like this

<?php

class Model_Login extends CI_Model{
    function __construct(){
        parent::__construct();
    }

    public function login_submit($arrayData){
        extract($arrayData);
        $username=clean($txtusername);
        $password=clean($txtpassword);

        //first get salt for the respective user.
        $getsalt=$this->db->query("SELECT PASSWORD_SALT FROM USER_INFOS WHERE USER_NNAME=?",array($username))->row();
        $salt=$getsalt->PASSWORD_SALT;
        $password=sha1($salt.$password);

        $query=$this->db->query("SELECT * FROM USER_INFOS WHERE STATUS='Y' AND USER_NNAME=? AND USER_PASSWORD=?",array($username,$password));

        if($query->num_rows>0){
            $row=$query->row();
            // login successfull create session
            $this->session->set_userdata('USER_ID', $row->USER_ID);
            $this->session->set_userdata('USER_FULL_NAME', $row->USER_ENAME);

            return "success";
        }else{
            return "Invalid username and/or password.";
        }





    }
}

?>

Where,
PASSWORD_SALT, is a database field that contains 128 character long random(for each user) salt hashed using hash function.

The code works perfect if USERNAME is unique. But i m trying to think of the client who may ask that username should not be unique. If username is not unique it always select first row and all except one having same username will not be able to login even they provide valid username and password.

What will be better work around on this scenario?

EDIT

I know Putting USERNAME not unique is a bad idea. But in our country there are several websites where username is not unique (or in some case username is even predictable). For example, I have an account in certain branch of bank whose branch code is 032, and my name is John Smith, then the username to access their ebanking will be 032JOHNS, there might be more than one John Smith in that branch finally having same username. And to login to their ebanking system i just need to provide this username and my password.

Thanks

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    If the username is not unique, then what uniquely identifies the user?

    It has to be something the user provides at login, and it can’t be a combination of username and password, because there’s certainly no guarantee that two users won’t pick the same password.

    So if the username is not unique, then something else has to be unique (or be unique in combination with the username). For example, if they’re doing some kind of multi-tenant by custom domains, then it would be the domain.

    But you can’t have non-unique usernames and expect the password to determine the correct user.

    (Side note, well you can, but you shouldn’t – I happen to be able to login into two different Amazon accounts using the same email address, but different passwords. I wonder what would happen if I changed one password to match the other, but I value my account too much to try it.)

    • 0