jakebur01 Posted May 9, 2014 Share Posted May 9, 2014 I last used this code about 5 years ago on another website. I copied it into the current site i'm working on to list the images in a directory. As far as I can tell the path is correct. I printed $image_path out and everything looks ok, however it is triggering the error Notice: error, path not found in. I have commented out this error and it still does not run. For some reason the path is not returning anything. I checked the permissions and they look ok. Here is the code: if(strlen($_GET['delete'])) { $delete_image = dirname(__FILE__) . "/PW-Files/$listingid/images/".urldecode($_GET['delete']); unlink($delete_image); } $image_path = dirname(__FILE__) . "/PW-Files/$listingid/images"; $dir_handle = null; if (($dir_handle = opendir($image_path))) { trigger_error('error, path not found'); return; } $html = '<table width="500" border="1">'; $file = readdir($dir_handle); $image_types = array("jpg","jpeg","gif","png"); while (false !== ($file=readdir($dir_handle))) { if(in_array(strtolower(substr($file,strpos($file,".")+1)),$image_types)){ $html .= "<tr><td><center><IMG SRC='/PW-Files/$listingid/images/{$file}' width='100' align='top' vspace='2' alt='{$file}' /></center></td><td>{$file}<br /><a href=\" PW-Image_Upload.php?delete=".urlencode($file)."\">delete image</a></td></tr>"; } } closedir($dir_handle); $html .= "</table>"; echo $html; Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted May 10, 2014 Share Posted May 10, 2014 For some strange reason, you regard a successful call of opendir() as an error: if ($dir_handle = opendir($image_path)) { trigger_error('error, path not found'); return; } If the function returns a resource (which it should), the conditions is fulfilled, and you complain about the path not being found. Shouldn't it be the other way round? But what's much more important: You have a gigantic security hole in your code which allows arbitrary users to delete any file your webserver has write access to. All they have to do is manipulate the file path through the delete parameter. Never trust user input. Never insert raw user data into file paths, queries or whatever. People will exploit this. I'm surprised this hasn't happened before. Or maybe you just didn't notice. Quote Link to comment Share on other sites More sharing options...
jakebur01 Posted May 10, 2014 Author Share Posted May 10, 2014 (edited) Be that as it may, you have to be logged in to access this page and the only people accessing this site will be my family, which i'm not worried about. I realize that this is bad practice for security reasons, but I am still not having any success returning any images. I commented out the trigger_error, not sure how it got in the success section. Any ideas on how I could get the images to appear? Edited May 10, 2014 by jakebur01 Quote Link to comment Share on other sites More sharing options...
Solution Jacques1 Posted May 10, 2014 Solution Share Posted May 10, 2014 So what's the new error? Is the error reporting turned on? Are you sure the webserver has all required permissions to access the folder and files? Be that as it may, you have to be logged in to access this page and the only people accessing this site will be my family, which i'm not worried about. This is one of those “arguments” which just don't make sense. So you're saying you're unable or unwilling to protect the simple parts of the program, but at the same time you write perfectly secure code when it comes to much more complicated aspects like authentication? No offense, but that's hard to believe. Anyway, if you think that saving 5 minutes of work is worth the risk, go ahead. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.