Having some trouble with unlink function . . .

[kuyaRomeo]

I have a few years experience in php, but nothing too hard core.

 

Right now I am trying to create a delete button on a form that will remove the MySql content for the item selected and also delete the image related to the item.

 

The unlink function is turning into a headache, and I can't seem to get it just right.  Here is what I have (below) and hoping someone can point me in the right direction to get this corrected.

 

 

$urldel = $_POST['url2']

if (file_exists("http://www.mysite.com/showcase/".$urldel) {
echo "File does exist";
unlink("http://www.mysite.com/showcase/".$urldel);
} else {
echo "The file does not exist";

}

 

Additional Information:

 

The passing of the name of the image as $urldel works fine.  If I simply do a print of $urldel, it shows correctly.

 

Also, If I put the delete script directly inside of my image folder, and use just the image name, unlink works correctly, so I gather there is something wrong in how I am creating my url with the $urldel.

 

Thanks in advance

[teynon]

I don't remember if you can use urls in unlink or not. Try it without the URL. You also need to do some SERIOUS validation on the post value. I could delete your server if you don't validate that baby.

[kuyaRomeo]

Thanks for the fast response.

 

Couple questions:

 

(1) when you say try it without the url, does that mean the script must be in the showcase folder?  I have tested this and it works, but I also have a showcase/thumbs folder with a second image to delete, and I would prefer to do it within one script if possible?

 

(2) Not sure what I need to do for the validation of post value????  Can you point me in the right direction here?

 

On my form, I have a delete button.  Also on the form is a text box that displays the name of the image.  the textbox name is 'url2'.  This is the value I pass over to the delete script . . the name of the image to delete.  What type of validation can I do to ensure only .jpg files can be passed?  What other validation would make this more safe?

 

 

 

I don't remember if you can use urls in unlink or not. Try it without the URL. You also need to do some SERIOUS validation on the post value. I could delete your server if you don't validate that baby.

[teynon]

Ok, first and foremost, the validation should prevent path manipulation. So you should either automatically remove all slashes or just kill the script if you find slashes in the file name.

 

if (!preg_match("@^[^\/\\]+$@i", $file)) {

  die("Oi. Who you think you're messing with?");

}

 

Second, when I say without the URL, I mean without the url It should be server local.

 

$file="image.jpg";

$dir="myDir";

 

if (unlink($dir."/".$file)) {

echo "Shazam.";

}

else {

echo "Damnit.";

}

[siva.katir]

As teyon said, the key for unlink is it is a local server path, not a URL. So it should be something like /home/me/mysite.com/myfolder/myfile.jpg

 

To unlink multiple files you have to run it once for each one. I'm pretty sure you can't unlink more then one file at a time across different directories.

 

But from a post absolutely make sure that the data can't manipulate the file path. The safest would be to not allow the file name to actually be passed to the function. If you know that user bob can only delete bob.jpg and bob's thumb.jpg you may want to write it so that the script goes off of that instead of relying on the form's data. A trick I do is using PHPsession. If a user is looking at an image that PHP knows they own the session has extra variables set (such as $_SESSION['image_id']), when they request a delete both the regular authentication have to pass and the session variables have to match, that way you can't delete an image that you weren't looking at.

 

[teynon]

When it comes down to absolute 100% path security, which is very arguable, you should do the below:

 

1) Require a login.

  1a) The login should create a unique key stored in a cookie. That cookie should be stored in the database along with the IP address. Every time the page is loaded, you should check that both the IP and the Key are correct. This links the browser and the computers current IP to the login. If the IP changes or the code isn't present, he won't be logged in.

 

2) Have a random key with the POST form that is checked on receipt of the form. This keeps the users web site from being manipulated by a third party website. In addition to this, you could also check the PHP referer value.

 

3) You could reference the file name based on an ID in the database rather than letting them have anything to do with it.

 

4) You should still validate the file name for paths or modifications.

[kuyaRomeo]

Thank you both Tenyon and siva.katir for your help!!

 

I was able to get the unlink function to work by using the /home/account/public_html/showcase/  path instead of the www url.

 

Thank you so much for helping me . .  I have struggled for the last two days trying to figure out why this was not working for me.

 

As for the validation and security .  .  .

 

Already there is a log in session required.  The only one who will be deleting items will be the admin.  This unlink function is only available to the admin, when logged in.  I am simply creating a way for the admin to load and unload items to display in her showcase.

 

Also, I will change the way the item is deleted.  Instead of passing the name of the image directly from the POST form, I will pass a hidden ID and draw the name of the image from SQL Select on that ID.

 

Do you think this will be enough?

 

Thanks again

[siva.katir]

Sounds safe enough.

[kuyaRomeo]

@teynon

 

Sorry about the typo (Tenyon) . . . .  fell behind on work and skipped proof reading before posting.  Sorry.

[teynon]

It's ok. I'm in Iraq right now and my last name (Eynon) gets said about 10 different ways anyway. Just remember though, that you can't trust form values just because its hidden.