使用密码验证删除帐户

Delete account with password verification

我有这个解决方案供用户删除他的帐户(效果很好)

        if(!empty($_POST['delete'])){
    
    if(empty($_POST['currentpassword'])) {
            $error = error('Please enter current password.');
    }

    $SQLCheckCurrent = $odb -> prepare("SELECT COUNT(*) FROM `users` WHERE `ID` = :ID AND `password` = :currentpassword");
    $SQLCheckCurrent -> execute(array(':ID' => $_SESSION['ID'], ':currentpassword' => SHA1(md5($_POST['currentpassword']))));
    $countCurrent = $SQLCheckCurrent -> fetchColumn(0);

    if ($countCurrent == 0){
        $error = error('Current password is incorrect.');
    }
    
    $notify = error($error);

    if(empty($error)){
        $SQLUpdate = $odb -> prepare("DELETE FROM `users` WHERE `username` = :username AND `ID` = :id");
        $SQLUpdate -> execute(array(':username' => $_SESSION['username'], ':id' => $_SESSION['ID']));
        session_destroy();
        header("location: login");
        die();
    }

}

我最近将所有内容从 MD5 更改为更新的 password_hash 但遗憾的是我无法更新这部分,我已经尝试过但到目前为止运气不好

        if(!empty($_POST['delete'])){
    
    if(empty($_POST['currentpassword'])) {
            $error = error('Please enter current password.');
    }

    $SQLCheckCurrent = $odb -> prepare("SELECT COUNT(*) FROM `users` WHERE `ID` = :ID AND `password` = :currentpassword");
    $SQLCheckCurrent -> execute(array(':ID' => $_SESSION['ID'], ':currentpassword' => password_verify($_POST['currentpassword'],$userInfo['password'])));
    $countCurrent = $SQLCheckCurrent -> fetchColumn(0);

    if ($countCurrent == 0){
        $error = error('Current password is incorrect.');
    }
    
    $notify = error($error);

    if(empty($error)){
        $SQLUpdate = $odb -> prepare("DELETE FROM `users` WHERE `username` = :username AND `ID` = :id");
        $SQLUpdate -> execute(array(':username' => $_SESSION['username'], ':id' => $_SESSION['ID']));
        session_destroy();
        header("location: login");
        die();
    }

}

我建议先阅读如何使用 password_verify,因为 password_verify 只有 return 布尔值给你 TRUE/FALSE。因此,您不能使用该函数来检查数据库中的数据。

在此处了解 password_verify:https://www.php.net/manual/en/function.password-verify.php

然后,对于解决方案,您可以像这里更改代码的逻辑:

1.仅通过ID获取保存的密码(自行查询),例如我会叫它$saved_password

$saved_password = '...'; // Get the password from DB by user id

2。使用保存的密码验证给定的密码

if (password_verify($_POST['currentpassword'], $saved_password)) {
  // Password verified
  // DELETE THE USER
} else {
  // Error. The password is wrong!
}

就这些了,希望对你有帮助。