-1

I already set a password for the user to log in, in phpMyAdmin. But I want to make sure that the password is deleted once the user uses it. Therefore, the user cannot login to the system twice. But I don't know how to make an SQL statement for that. I just want to delete the password without deleting the username. Can I combine the delete code with submit button?

<?php 

if(isset($_POST['submit']))
{
    include("config.php");
    session_start();
    $username = $_POST['username'];
    $password = $_POST['password'];
    $_SESSION['login_user'] = $username;
    
    $query = mysqli_query($mysqli,"SELECT username from logins WHERE username='$username' and password='$password'");
    
    if(mysqli_num_rows($query) !=0)
    {
        
        echo "<script language='javascript' type='text/javascript'>location.href='home.php'</script>";
    }
    else
    {
        echo "<script language='javascript' type='text/javascript'>alert('Username or Password invalid!')</script>";
    }
}

?>

Thank you.

qyioma
  • 15
  • 6
  • **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) – Dharman Jun 17 '21 at 10:35

1 Answers1

-1

Add an SQL UPDATE statement before your redirect your user. And do not save the password as plain text in your DB: Best way to store passwords in MYSQL database

But an better idea is, that you will add an timestamp to your database with the last login. If the timestamp is NULL, than the user can login. If it is not empty the user can not login.

But here the example for the given code:

(Security manuel: https://www.php.net/manual/en/mysqli.real-escape-string.php)

if(isset($_POST['submit']))
{
    include("config.php");
    session_start();
    $username = mysqli_real_escape_string($mysqli, $_POST['username']);// add a little bit security at this point
    $password = mysqli_real_escape_string($mysqli, $_POST['password']); // add a little bit security at this point
    $_SESSION['login_user'] = $username;
    
    $query = mysqli_query($mysqli,"SELECT username from logins WHERE username='$username' and password='$password' and password IS NOT NULL"); // check that the password is not empty
    
    if(mysqli_num_rows($query) !=0)
    {
        // update your DB row
        // if you got an ID, than do it with the ID and not with the $username and $password
        mysqli_query($mysqli,"UPDATE logins SET password = NULL WHERE username='$username' and password='$password'");

        // to do it better use instead of JavaScript PHP for the redirect. In this case it is important, that nothing is printed out bevore the `header()`:
        header("Location: home.php");
        exit;

        // try to not mix it up if you are on an pure PHP page
        // echo "<script language='javascript' type='text/javascript'>location.href='home.php'</script>";
    }
    else
    {
        // same as above
        header("Location: login.php?tag=login-invalid");
        exit;
        // echo "<script language='javascript' type='text/javascript'>alert('Username or Password invalid!')</script>";
    }
}

If the "password" is not NULL able, than replace the NULL through = ""

Richard
  • 618
  • 1
  • 9
  • 15