Delete users after checking the password is correct

Question

I want to delete users after they submit the correct password with displaying a message that inform the user that he has been deleted.

In my code the problem is that whatever the user writes the system consider write and allow the deletion.

delete .php

<?php 
session_start();
$msgToUser="";
if(@!$_SESSION['user_id'])
{
    $msgToUser= '<br /><br /><font color = "#FF000">Only registered users can delete their account</font><p><a href = "register.php">Join Here</a></p>';
    exit();
}
$id = $_SESSION['user_id'];

if(isset($_POST['delete']))
{


        $del_acct_pass = $_POST['del_account_pass'];

         require_once('include/connect.php'); 
        $check_pass= mysql_query("SELECT password FROM user WHERE password = '$del_acct_pass' AND  user_id = '$id'") or die(mysql_error());
        if($check_pass)
        {
            $sql = mysql_query("SELECT * FROM user  WHERE user_id = '$id'")or die(mysql_error());
            $pass_check_num = mysql_num_rows($sql);
            if($pass_check_num >0)
            {
                $pic1=("members/$id/image01.jpg");
                if(file_exists($pic1))
                { 
                      unlink($pic1);

                }
                $dir = "members/$id";
                rmdir($dir);
                $sqltable1 = mysql_query("DELETE FROM user WHERE user_id ='$id'")or die(mysql_error());
                $sqltable1 = mysql_query("DELETE FROM blabing WHERE u_id ='$id'")or die(mysql_error());
                session_destroy();
                $msgToUser="YOUR Account Has Been Deleted!!!";
                exit();
            }
       }
       $msgToUser="<h3 style='color:#CC0000'>You must Write the Correct Password</h3>";
}

?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Edit Page</title>
<link href='http://fonts.googleapis.com/css?family=Oswald:400,300' rel='stylesheet' type='text/css' />
<link href='http://fonts.googleapis.com/css?family=Abel|Satisfy' rel='stylesheet' type='text/css' />
<link href="default.css" rel="stylesheet" type="text/css" media="all" />

</head>

<body>

<?php /*require_once('header.php');*/ ?>
<div id="wrapper">
    <div id="page-wrapper">
        <div id="page">
            <div id="wide-content">
              <table width="70%" align="center" cellpadding="6">
              <form action="delete_account.php" method="post" name="delete_form" >
                <tr>
                  <td bgcolor="#CCCCCC">Delete Your Account </td>
                </tr>
                <tr>
                  <td>Please enter Your current Password to proceed with account deletion</td>
                </tr>
                <tr>
                  <td><input type="password" name="del_account_pass" id="del_account_pass" /></td>
                </tr>
                <tr>

                  <td><input type="submit" name="delete" id="delete" value="Delete Account" /></td>
                </tr>
                <tr>
                <td><?php echo $msgToUser; ?></td>
                </tr>
                </form>
              </table>



            </div>
        </div>
  </div>
</div>
<?php  require_once('footer.php'); ?>


</body>
</html>

Answer 1

This if statement is wrong

if($check_pass)

$check_pass will be a resource id and it will be always non empty even you get results or not. You should check it with mysql_num_rows if whether it return any data using this

if (mysql_num_rows($check_pass)>0) {


      //write your delete code here

}

Answer 2

You have to pass here first query resource rather than second query.

$pass_check_num = mysql_num_rows($sql);

should be

$pass_check_num = mysql_num_rows($check_pass);

Answer 3

I think instead of doing this

$check_pass= mysql_query("SELECT password FROM user WHERE password = '$del_acct_pass' AND  user_id = '$id'") or die(mysql_error());
        if($check_pass)
        {
            $sql = mysql_query("SELECT * FROM user  WHERE user_id = '$id'")or die(mysql_error());
            $pass_check_num = mysql_num_rows($sql);
            if($pass_check_num >0)
            {

you can just simply do this:

$sql= mysql_query("SELECT password FROM user WHERE password = '$del_acct_pass' AND  user_id = '$id'") or die(mysql_error());
            $pass_check_num = mysql_num_rows($sql);
            if($pass_check_num >0)
            {

Answer 4

Your code must be like this to work, but be advised your querys are deprecated, you should use msqli or PDO instead, it's not that hard to change them, if you continue to use this the most probably is that your querys in the near future wont work, not mentioning the security problems. Link to Get Your Code Better

<?php 
session_start();
$msgToUser="";
if(@!$_SESSION['user_id'])
{
    $msgToUser= '<br /><br /><font color = "#FF000">Only registered users can delete their account</font><p><a href = "register.php">Join Here</a></p>';
    exit();
}
$id = $_SESSION['user_id'];

if(isset($_POST['delete']))
{


        $del_acct_pass = $_POST['del_account_pass'];

         require_once('include/connect.php'); 
        $check_pass= mysql_query("SELECT password FROM user WHERE password = '$del_acct_pass' AND  user_id = '$id'") or die(mysql_error());
         $check_pass_num = mysql_num_rows($check_pass);
          if($check_pass_num >0)
               {

                $pic1=("members/$id/image01.jpg");
                if(file_exists($pic1))
                { 
                      unlink($pic1);

                }
                $dir = "members/$id";
                rmdir($dir);
                $sqltable1 = mysql_query("DELETE FROM user WHERE user_id ='$id'")or die(mysql_error());
                $sqltable1 = mysql_query("DELETE FROM blabing WHERE u_id ='$id'")or die(mysql_error());
                session_destroy();
                $msgToUser="YOUR Account Has Been Deleted!!!";
                exit();

       }
       $msgToUser="<h3 style='color:#CC0000'>You must Write the Correct Password</h3>";
}

?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Edit Page</title>
<link href='http://fonts.googleapis.com/css?family=Oswald:400,300' rel='stylesheet' type='text/css' />
<link href='http://fonts.googleapis.com/css?family=Abel|Satisfy' rel='stylesheet' type='text/css' />
<link href="default.css" rel="stylesheet" type="text/css" media="all" />

</head>

<body>

<?php /*require_once('header.php');*/ ?>
<div id="wrapper">
    <div id="page-wrapper">
        <div id="page">
            <div id="wide-content">
              <table width="70%" align="center" cellpadding="6">
              <form action="delete_account.php" method="post" name="delete_form" >
                <tr>
                  <td bgcolor="#CCCCCC">Delete Your Account </td>
                </tr>
                <tr>
                  <td>Please enter Your current Password to proceed with account deletion</td>
                </tr>
                <tr>
                  <td><input type="password" name="del_account_pass" id="del_account_pass" /></td>
                </tr>
                <tr>

                  <td><input type="submit" name="delete" id="delete" value="Delete Account" /></td>
                </tr>
                <tr>
                <td><?php echo $msgToUser; ?></td>
                </tr>
                </form>
              </table>



            </div>
        </div>
  </div>
</div>
<?php  require_once('footer.php'); ?>


</body>
</html>