dprichard Posted May 29, 2008 Share Posted May 29, 2008 I am using unlink for the first time to delete files. I have permissions to write the files and am having no issues getting the files onto the server, but am getting permission denied when trying to delete them. Warning: unlink(../galleries/uploads/Test/) [function.unlink]: Permission denied in photo-add.php on line 99 This is a Windows box with write permissions on the folders. I am trying to make sure I do this right and make sure I am not opening up any security holes. What permission do I need on this folder and what security concerns should I consider when deleting files. Thank you for any and all advice. Quote Link to comment Share on other sites More sharing options...
rhodesa Posted May 29, 2008 Share Posted May 29, 2008 Well, by the looks of it, you are trying to delete a folder, not a file. Can you post the code or at least the few lines before and after line 99 Quote Link to comment Share on other sites More sharing options...
craygo Posted May 29, 2008 Share Posted May 29, 2008 Are you using apache or IIS?? Quote Link to comment Share on other sites More sharing options...
dprichard Posted May 29, 2008 Author Share Posted May 29, 2008 IIS Quote Link to comment Share on other sites More sharing options...
rhodesa Posted May 29, 2008 Share Posted May 29, 2008 again...i will point out...are you trying to delete a folder or a file? other then that...if it's IIS...i tag out. it's all yours craygo! Quote Link to comment Share on other sites More sharing options...
dprichard Posted May 29, 2008 Author Share Posted May 29, 2008 I am trying to delete a file, but it doesn't seem to be pulling in my file name. if(file_exists("../galleries/uploads/".$row_galleryinfo['Name']."/".$row_photoinfo['FileName'])) { unlink("../galleries/uploads/".$row_galleryinfo['Name']."/".$row_photoinfo['FileName']); } Quote Link to comment Share on other sites More sharing options...
craygo Posted May 29, 2008 Share Posted May 29, 2008 lol Rhodesa In IIS you have to give full control if you want to delete subfolders and files. The default user for IIS is IUSR_computername. Where computer name is the name of your computer. So if you want to delete files in one particular folder then you can give modify rights to the account in that folder. If you want to delete files AND folders you have to give full control to the IUSR account. so in the case above you can give full control to the uploads folder. also when you change the permissions click advanced and check off "Replace permission entries on all child...." This will reset all permissions on the files and folders below. Like a recursive chmod in linux. Hope that makes sense. Ray Quote Link to comment Share on other sites More sharing options...
rhodesa Posted May 29, 2008 Share Posted May 29, 2008 gotchya...but yeah. seems to be not finding the filename, where is the code that sets $row_photoinfo['FileName'] ? Also, you may want to use is_file() instead of file_exists() cus file_exists() will return true if it's a folder. Quote Link to comment Share on other sites More sharing options...
dprichard Posted May 29, 2008 Author Share Posted May 29, 2008 OKay, I figured out why it wouldn't delete. My photo name was not coming in. What security concerns should I have in doing deletions? What things should I watch out for? Quote Link to comment Share on other sites More sharing options...
rhodesa Posted May 29, 2008 Share Posted May 29, 2008 The biggest security risk is when you allow user input. Is any part of the filename coming from GET or POST? Besides that, just make sure your paths are correct. Quote Link to comment Share on other sites More sharing options...
dprichard Posted May 29, 2008 Author Share Posted May 29, 2008 Yes, the PhotoId is coming from a post. Then I query the database for the filename for the photoid. I am doing this before the query though: $PhotoId = ''; $PhotoId = mysql_real_escape_string($_POST['PhotoId']); Then my query. Should I take additional precautions beyond this? Thanks you so much for your input. Quote Link to comment Share on other sites More sharing options...
ravi.kinjarapu Posted May 29, 2008 Share Posted May 29, 2008 u r using unix or windows.. please confirm that. Quote Link to comment Share on other sites More sharing options...
rhodesa Posted May 29, 2008 Share Posted May 29, 2008 Yes, the PhotoId is coming from a post. Then I query the database for the filename for the photoid. I am doing this before the query though: $PhotoId = ''; $PhotoId = mysql_real_escape_string($_POST['PhotoId']); Then my query. Should I take additional precautions beyond this? Thanks you so much for your input. That should be good as long as you test to make sure a record is found before doing any unlinking. Quote Link to comment Share on other sites More sharing options...
dprichard Posted May 29, 2008 Author Share Posted May 29, 2008 Thank you Rhodesa for your help! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.