Prevent delete account in AdminCP when it still signing in

Question

I have a problem with delete account in PHP. In details, I develop the back-end admin control panel site, and in it have a function allow delete account in table Admin_Account. But when I delete, it also allows deleting admin account that current logging in admin control panel site. Can someone help me to prevent, don't let it delete an account that is logging in admin?

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Delete account admin</title>
</head>

<body>
<?php
    include("connect.php");
    $sl="delete from admin where idAdmin=".$_GET['id'];
    if(mysqli_query($con,$sl))
    {
        echo "<script language='javascript'>alert('Delete successful!');";
        echo "location.href='index.php?xem=theloai';</script>";
    }
?>

<?php include('close_ketnoi.php');?>

</body>
</html>

Your code is vulnerable to [**SQL injection attacks**](https://en.wikipedia.org/wiki/SQL_injection). You should use [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) prepared statements with bound parameters as described in [**this post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). — Alex Howansky, Apr 17 '17 at 16:12

score 0 · Answer 1 · edited May 23 '17 at 12:17

0

Two things 1) Never delete account from table, instead do soft delete (What is the best way to implement soft deletion?) 2) While you fire query, you can check if $_GET['id'] is not equal to user_id in session.

Also check for code vulnerabilities, it has many holes.

edited May 23 '17 at 12:17

Community

1
1

answered Apr 17 '17 at 16:21

RahulN

218
1
5

Prevent delete account in AdminCP when it still signing in

1 Answers1