-3

  • Let's say I have an user registered on my website and they now want to delete the account.

  • I've a query to do that but every time the user uses this functionality the code deletes all users.

Here is my code:

<?php 
// starts session
session_start();

// set values
$DB_SERVER = 'localhost';
$DB_USERNAME = 'root';
$DB_PASSWORD = '';
$DB_NAME = 'acoolname';

// creates a new connection to the database
$conn = new mysqli($DB_SERVER, $DB_USERNAME, $DB_PASSWORD, $DB_NAME);

// checks connection
if ($conn->connect_error) {
  die("ERRO: Falha ao conectar. " . $conn->connect_error);
}

// query to delete the user
$sql = "DELETE FROM users WHERE id = id";

// logout user
if ($conn->query($sql) === true) {
  header("location: logout.php");
}else {
  echo "ERRO: Falha ao conectar. " . $conn->error;
}

// close connection
$conn->close();
?>
rrenildopereiraa
  • 7
  • 1
  • 7
  • 1
    `WHERE id = 1` might work or better still use a parameterised and bound query `WHERE id = ?` – RiggsFolly May 17 '22 at 11:31
  • *"WHERE id = id"* - Every record in the table will match this condition... – David May 17 '22 at 11:32
  • 1
    `DELETE FROM users WHERE id = id` Well, `id = id` will always be true and this will therefore indeed delete every user. You need to pass in the ID of the user you want to delete after `id =`. – Maximilian Krause May 17 '22 at 11:33
  • Relevant [Deleting data from database using php](https://stackoverflow.com/q/67711230/1839439) – Dharman May 17 '22 at 11:45

3 Answers3

3

id = id always returns true, so the query indeed deletes all the users.

The safe way to delete a specific user is to use prepared statements, in order to avoid SQL injection.

Something like

$stmt = $conn->prepare('DELETE FROM users WHERE id = ?');
$stmt->bind_param("i", $id);
$stmt->execute();
$stmt->close();
Sophia Koulen
  • 302
  • 1
  • 7
  • 1
    `$stmt->close();` seems redundant and I don't know why you included it. – Dharman May 17 '22 at 11:41
  • thanks for the help i've used my session variable to delete the current user :) about the sql injection well this is a school work so i don't i do need to worry about sql injection atm... – rrenildopereiraa May 18 '22 at 19:23
1

Your WHERE condition compares for each row whether the id for the current row matches the id. In other words, the queries compares the field with itself which yields truefor every row. Therefore every row gets deleted.

You have to replace the second id with either a variable that contains the id-value for the current user, or with the id for the current user. The latter is susceptible for SQL injection. See this question how to insert parameters into the query, safely.

Christof Wollenhaupt
  • 521
  • 1
  • 3
  • 9
0
<?php 
// starts session
session_start();

// set values
$DB_SERVER = 'localhost';
$DB_USERNAME = 'root';
$DB_PASSWORD = '';
$DB_NAME = 'acoolname';

// creates a new connection to the database
$conn = new mysqli($DB_SERVER, $DB_USERNAME, $DB_PASSWORD, $DB_NAME);

// checks connection
if ($conn->connect_error) {
  die("ERRO: Falha ao conectar. " . $conn->connect_error);
}

// query to delete the user

//Collect the specific user you want to delete from your form
if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST["user"])) {
    $username = $_POST["user"];

 // Delete user with the specified username
    $sql = "DELETE FROM users WHERE username = '$username'";

// logout user
if ($conn->query($sql) === true) {
  header("location: logout.php");
}else {
  echo "ERRO: Falha ao conectar. " . $conn->error;
}

// close connection
$conn->close();
?>

Missing page of your code is - 
//Collect the specific user you want to delete from your form
if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST["user"])) {
    $username = $_POST["user"];
user22373045
  • 1