Jump to content

Trouble with opendir


Go to solution Solved by Jacques1,

Recommended Posts

I last used this code about 5 years ago on another website.  I copied it into the current site i'm working on to list the images in a directory.  As far as I can tell the path is correct.  I printed $image_path out and everything looks ok, however it is triggering the error Notice: error, path not found in.  I have commented out this error and it still does not run.  For some reason the path is not returning anything.  I checked the permissions and they look ok.

 

Here is the code:

if(strlen($_GET['delete'])) {
		$delete_image = dirname(__FILE__) . "/PW-Files/$listingid/images/".urldecode($_GET['delete']);
		unlink($delete_image);
	}

    $image_path = dirname(__FILE__) . "/PW-Files/$listingid/images";
    $dir_handle = null;
   
    if (($dir_handle = opendir($image_path)))
    {
        trigger_error('error, path not found');
        return;
    }
    $html = '<table width="500" border="1">';
    $file = readdir($dir_handle);
    $image_types = array("jpg","jpeg","gif","png");
   while (false !== ($file=readdir($dir_handle))) {
    
		
		if(in_array(strtolower(substr($file,strpos($file,".")+1)),$image_types)){
        $html .= "<tr><td><center><IMG SRC='/PW-Files/$listingid/images/{$file}' width='100' align='top' vspace='2' alt='{$file}' /></center></td><td>{$file}<br /><a href=\" PW-Image_Upload.php?delete=".urlencode($file)."\">delete image</a></td></tr>";

		}
    }
    closedir($dir_handle);
    

   $html .= "</table>";
    echo $html;
Link to comment
https://forums.phpfreaks.com/topic/288382-trouble-with-opendir/
Share on other sites

For some strange reason, you regard a successful call of opendir() as an error:

if ($dir_handle = opendir($image_path))
{
	trigger_error('error, path not found');
	return;
}

If the function returns a resource (which it should), the conditions is fulfilled, and you complain about the path not being found. Shouldn't it be the other way round?

 

But what's much more important: You have a gigantic security hole in your code which allows arbitrary users to delete any file your webserver has write access to. All they have to do is manipulate the file path through the delete parameter.

 

Never trust user input. Never insert raw user data into file paths, queries or whatever. People will exploit this. I'm surprised this hasn't happened before. Or maybe you just didn't notice.

Be that as it may, you have to be logged in to access this page and the only people accessing this site will be my family, which i'm not worried about.  I realize that this is bad practice for security reasons, but I am still not having any success returning any images.  I commented out the trigger_error, not sure how it got in the success section.   Any ideas on how I could get the images to appear?

Edited by jakebur01
  • Solution

So what's the new error? Is the error reporting turned on? Are you sure the webserver has all required permissions to access the folder and files?

 

Be that as it may, you have to be logged in to access this page and the only people accessing this site will be my family, which i'm not worried about.

 

This is one of those “arguments” which just don't make sense. So you're saying you're unable or unwilling to protect the simple parts of the program, but at the same time you write perfectly secure code when it comes to much more complicated aspects like authentication? No offense, but that's hard to believe.

 

Anyway, if you think that saving 5 minutes of work is worth the risk, go ahead.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.