Search code examples
phppassword-encryptionpassword-hash

Delete account with password verification

i have this solution for user to delete his account (it is working pretty well)

        if(!empty($_POST['delete'])){
    
    if(empty($_POST['currentpassword'])) {
            $error = error('Please enter current password.');
    }

    $SQLCheckCurrent = $odb -> prepare("SELECT COUNT(*) FROM `users` WHERE `ID` = :ID AND `password` = :currentpassword");
    $SQLCheckCurrent -> execute(array(':ID' => $_SESSION['ID'], ':currentpassword' => SHA1(md5($_POST['currentpassword']))));
    $countCurrent = $SQLCheckCurrent -> fetchColumn(0);

    if ($countCurrent == 0){
        $error = error('Current password is incorrect.');
    }
    
    $notify = error($error);

    if(empty($error)){
        $SQLUpdate = $odb -> prepare("DELETE FROM `users` WHERE `username` = :username AND `ID` = :id");
        $SQLUpdate -> execute(array(':username' => $_SESSION['username'], ':id' => $_SESSION['ID']));
        session_destroy();
        header("location: login");
        die();
    }

}

I recently changed everything from MD5 to the newer password_hash but I can not update this part sadly, I have tried this but no luck so far

        if(!empty($_POST['delete'])){
    
    if(empty($_POST['currentpassword'])) {
            $error = error('Please enter current password.');
    }

    $SQLCheckCurrent = $odb -> prepare("SELECT COUNT(*) FROM `users` WHERE `ID` = :ID AND `password` = :currentpassword");
    $SQLCheckCurrent -> execute(array(':ID' => $_SESSION['ID'], ':currentpassword' => password_verify($_POST['currentpassword'],$userInfo['password'])));
    $countCurrent = $SQLCheckCurrent -> fetchColumn(0);

    if ($countCurrent == 0){
        $error = error('Current password is incorrect.');
    }
    
    $notify = error($error);

    if(empty($error)){
        $SQLUpdate = $odb -> prepare("DELETE FROM `users` WHERE `username` = :username AND `ID` = :id");
        $SQLUpdate -> execute(array(':username' => $_SESSION['username'], ':id' => $_SESSION['ID']));
        session_destroy();
        header("location: login");
        die();
    }

}
Solution

  • I recommend to read first about how to use password_verify, that because password_verify only return boolean that give you TRUE/FALSE. So, you can't use that function to check the data in the DB.

    Read about password_verify here: https://www.php.net/manual/en/function.password-verify.php

    And then, for the solution, you can change the logic of your code like here:

    1. Get the saved password by ID only (make your own query), e.g. I will call it $saved_password

    $saved_password = '...'; // Get the password from DB by user id

    2. Verify the given password with saved password

    if (password_verify($_POST['currentpassword'], $saved_password)) {
  // Password verified
  // DELETE THE USER
} else {
  // Error. The password is wrong!
}

    That's it, hope this can help you.