Permissions for Unlink Deleting Files in PHP and Security Concerns

[dprichard]

I am using unlink for the first time to delete files. I have permissions to write the files and am having no issues getting the files onto the server, but am getting permission denied when trying to delete them.

 

 

Warning: unlink(../galleries/uploads/Test/) [function.unlink]: Permission denied in photo-add.php on line 99

 

This is a Windows box with write permissions on the folders. I am trying to make sure I do this right and make sure I am not opening up any security holes. What permission do I need on this folder and what security concerns should I consider when deleting files.

 

Thank you for any and all advice.

[rhodesa]

Well, by the looks of it, you are trying to delete a folder, not a file.

 

Can you post the code or at least the few lines before and after line 99

[craygo]

Are you using apache or IIS??

[dprichard]

IIS

[rhodesa]

again...i will point out...are you trying to delete a folder or a file?

 

 

other then that...if it's IIS...i tag out. it's all yours craygo!

[dprichard]

 

I am trying to delete a file, but it doesn't seem to be pulling in my file name.

 

	if(file_exists("../galleries/uploads/".$row_galleryinfo['Name']."/".$row_photoinfo['FileName'])) {
	unlink("../galleries/uploads/".$row_galleryinfo['Name']."/".$row_photoinfo['FileName']);
}

[craygo]

lol Rhodesa

 

In IIS you have to give full control if you want to delete subfolders and files. The default user for IIS is IUSR_computername. Where computer name is the name of your computer.

 

So if you want to delete files in one particular folder then you can give modify rights to the account in that folder. If you want to delete files AND folders you have to give full control to the IUSR account.

 

so in the case above you can give full control to the uploads folder. also when you change the permissions click advanced and check off "Replace permission entries on all child...." This will reset all permissions on the files and folders below. Like a recursive chmod in linux.

 

Hope that makes sense.

 

Ray

[rhodesa]

gotchya...but yeah. seems to be not finding the filename, where is the code that sets $row_photoinfo['FileName'] ?

 

Also, you may want to use is_file() instead of file_exists() cus file_exists() will return true if it's a folder.

[dprichard]

OKay, I figured out why it wouldn't delete.  My photo name was not coming in.

 

What security concerns should I have in doing deletions?  What things should I watch out for?

[rhodesa]

The biggest security risk is when you allow user input. Is any part of the filename coming from GET or POST?

 

Besides that, just make sure your paths are correct.

[dprichard]

Yes, the PhotoId is coming from a post.  Then I query the database for the filename for the photoid.  I am doing this before the query though:

 

$PhotoId = '';
$PhotoId = mysql_real_escape_string($_POST['PhotoId']);

 

Then my query.  Should I take additional precautions beyond this?

 

Thanks you so much for your input.

[ravi.kinjarapu]

u r using unix or windows.. please confirm that.

[rhodesa]

Yes, the PhotoId is coming from a post.  Then I query the database for the filename for the photoid.  I am doing this before the query though:

 

$PhotoId = '';
$PhotoId = mysql_real_escape_string($_POST['PhotoId']);

 

Then my query.  Should I take additional precautions beyond this?

 

Thanks you so much for your input.

 

That should be good as long as you test to make sure a record is found before doing any unlinking.

[dprichard]

Thank you Rhodesa for your help!