使用密码验证删除帐户
Delete account with password verification
我有这个解决方案供用户删除他的帐户(效果很好)
if(!empty($_POST['delete'])){
if(empty($_POST['currentpassword'])) {
$error = error('Please enter current password.');
}
$SQLCheckCurrent = $odb -> prepare("SELECT COUNT(*) FROM `users` WHERE `ID` = :ID AND `password` = :currentpassword");
$SQLCheckCurrent -> execute(array(':ID' => $_SESSION['ID'], ':currentpassword' => SHA1(md5($_POST['currentpassword']))));
$countCurrent = $SQLCheckCurrent -> fetchColumn(0);
if ($countCurrent == 0){
$error = error('Current password is incorrect.');
}
$notify = error($error);
if(empty($error)){
$SQLUpdate = $odb -> prepare("DELETE FROM `users` WHERE `username` = :username AND `ID` = :id");
$SQLUpdate -> execute(array(':username' => $_SESSION['username'], ':id' => $_SESSION['ID']));
session_destroy();
header("location: login");
die();
}
}
我最近将所有内容从 MD5 更改为更新的 password_hash
但遗憾的是我无法更新这部分,我已经尝试过但到目前为止运气不好
if(!empty($_POST['delete'])){
if(empty($_POST['currentpassword'])) {
$error = error('Please enter current password.');
}
$SQLCheckCurrent = $odb -> prepare("SELECT COUNT(*) FROM `users` WHERE `ID` = :ID AND `password` = :currentpassword");
$SQLCheckCurrent -> execute(array(':ID' => $_SESSION['ID'], ':currentpassword' => password_verify($_POST['currentpassword'],$userInfo['password'])));
$countCurrent = $SQLCheckCurrent -> fetchColumn(0);
if ($countCurrent == 0){
$error = error('Current password is incorrect.');
}
$notify = error($error);
if(empty($error)){
$SQLUpdate = $odb -> prepare("DELETE FROM `users` WHERE `username` = :username AND `ID` = :id");
$SQLUpdate -> execute(array(':username' => $_SESSION['username'], ':id' => $_SESSION['ID']));
session_destroy();
header("location: login");
die();
}
}
我建议先阅读如何使用 password_verify,因为 password_verify 只有 return 布尔值给你 TRUE/FALSE。因此,您不能使用该函数来检查数据库中的数据。
在此处了解 password_verify:https://www.php.net/manual/en/function.password-verify.php
然后,对于解决方案,您可以像这里更改代码的逻辑:
1.仅通过ID获取保存的密码(自行查询),例如我会叫它$saved_password
$saved_password = '...'; // Get the password from DB by user id
2。使用保存的密码验证给定的密码
if (password_verify($_POST['currentpassword'], $saved_password)) {
// Password verified
// DELETE THE USER
} else {
// Error. The password is wrong!
}
就这些了,希望对你有帮助。
我有这个解决方案供用户删除他的帐户(效果很好)
if(!empty($_POST['delete'])){
if(empty($_POST['currentpassword'])) {
$error = error('Please enter current password.');
}
$SQLCheckCurrent = $odb -> prepare("SELECT COUNT(*) FROM `users` WHERE `ID` = :ID AND `password` = :currentpassword");
$SQLCheckCurrent -> execute(array(':ID' => $_SESSION['ID'], ':currentpassword' => SHA1(md5($_POST['currentpassword']))));
$countCurrent = $SQLCheckCurrent -> fetchColumn(0);
if ($countCurrent == 0){
$error = error('Current password is incorrect.');
}
$notify = error($error);
if(empty($error)){
$SQLUpdate = $odb -> prepare("DELETE FROM `users` WHERE `username` = :username AND `ID` = :id");
$SQLUpdate -> execute(array(':username' => $_SESSION['username'], ':id' => $_SESSION['ID']));
session_destroy();
header("location: login");
die();
}
}
我最近将所有内容从 MD5 更改为更新的 password_hash
但遗憾的是我无法更新这部分,我已经尝试过但到目前为止运气不好
if(!empty($_POST['delete'])){
if(empty($_POST['currentpassword'])) {
$error = error('Please enter current password.');
}
$SQLCheckCurrent = $odb -> prepare("SELECT COUNT(*) FROM `users` WHERE `ID` = :ID AND `password` = :currentpassword");
$SQLCheckCurrent -> execute(array(':ID' => $_SESSION['ID'], ':currentpassword' => password_verify($_POST['currentpassword'],$userInfo['password'])));
$countCurrent = $SQLCheckCurrent -> fetchColumn(0);
if ($countCurrent == 0){
$error = error('Current password is incorrect.');
}
$notify = error($error);
if(empty($error)){
$SQLUpdate = $odb -> prepare("DELETE FROM `users` WHERE `username` = :username AND `ID` = :id");
$SQLUpdate -> execute(array(':username' => $_SESSION['username'], ':id' => $_SESSION['ID']));
session_destroy();
header("location: login");
die();
}
}
我建议先阅读如何使用 password_verify,因为 password_verify 只有 return 布尔值给你 TRUE/FALSE。因此,您不能使用该函数来检查数据库中的数据。
在此处了解 password_verify:https://www.php.net/manual/en/function.password-verify.php
然后,对于解决方案,您可以像这里更改代码的逻辑:
1.仅通过ID获取保存的密码(自行查询),例如我会叫它$saved_password
$saved_password = '...'; // Get the password from DB by user id
2。使用保存的密码验证给定的密码
if (password_verify($_POST['currentpassword'], $saved_password)) {
// Password verified
// DELETE THE USER
} else {
// Error. The password is wrong!
}
就这些了,希望对你有帮助。