Delete files with same prefix name but different extensions-php

[sagar_24]

I want to delete files(Image File) with different extensions(like jpg,png) having same name.

I don't know what's wrong My code seems alright.

Here I'm taking the file name from HTML

    HTML:
    
    <a href="123.php?file=2"><button class="btn2">Delete File:2</button></a>
    
    PHP:
    
    <?php
    
    $base_directory = 'uploads/';
    if(unlink($base_directory.$_GET['file*.*']))
        echo "File Deleted.";
    ?>

And I've even tried passing the extensions through HTML as well, which felt quite alright too. But didn't work at all Please shed some light on what seems to be the problem would appreciate it.

 HTML:
    <a href="123.php?file=2.jpg && file=2.png"><button class="btn2">Delete 
    File:2</button></a>


    PHP:

    <?php

    $base_directory = 'uploads/';
    if(unlink($base_directory.$_GET['file']))
    echo "File Deleted.";
    ?>

 

[ginerjm]

Not that I condone this style of coding but how about this:

 

if(unlink($base_directory.$_GET['file'] . '*.*'))

[requinix]

I don't believe unlink() works with patterns, so glob + loop + unlink.

[sagar_24]

 

Not that I condone this style of coding but how about this:

if(unlink($base_directory.$_GET['file'] . '*.*'))

Right when i saw this i was sure this is what i wanted 

unfortunately it didn't work

thanks for replying though

[sagar_24]

I don't believe unlink() works with patterns, so glob + loop + unlink.

My first try was with glob but in my case glob wasn't able to locate the directory so i went ahead with this 

could you give me a link or example or glob similar to my case

appreciate the reply

[Jacques1]

This script will delete anything the user asks for as long as the webserver has permissions to do so. Since a lot of web applications are both running under and owned by the same webserver account, this means a user can probably wipe your entire document root – and maybe more.

 

Do – not – trust – user – input. Do not let it anywhere near a file path, unless you've extensively validated the input and made sure it's harmless. Using GET requests to delete data is also a very bad idea, because this violates the HTTP protocol. GET is strictly for getting data (hence the name) and mustn't have any side effects. If you break that assumption, you quickly end up with accidental deletions due to page reloads, bookmarks etc. On top of that, your code is wide open to CSRF attacks, which means that more or less everybody can freely delete files on your server.

 

Learn the basics of HTTP, especially the meaning of GET and POST. Understand that the WWW is a public infrastructure with a lot of hostile activity. Even if you think your website is restricted to a handful of users, that's not actually the case. The script you've shown can be attacked by anybody who has read a few Wikipedia articles.

[sagar_24]

This script will delete anything the user asks for as long as the webserver has permissions to do so. Since a lot of web applications are both running under and owned by the same webserver account, this means a user can probably wipe your entire document root – and maybe more.

 

Do – not – trust – user – input. Do not let it anywhere near a file path, unless you've extensively validated the input and made sure it's harmless. Using GET requests to delete data is also a very bad idea, because this violates the HTTP protocol. GET is strictly for getting data (hence the name) and mustn't have any side effects. If you break that assumption, you quickly end up with accidental deletions due to page reloads, bookmarks etc. On top of that, your code is wide open to CSRF attacks, which means that more or less everybody can freely delete files on your server.

 

Learn the basics of HTTP, especially the meaning of GET and POST. Understand that the WWW is a public infrastructure with a lot of hostile activity. Even if you think your website is restricted to a handful of users, that's not actually the case. The script you've shown can be attacked by anybody who has read a few Wikipedia articles.

Thanks You so much for the info sir

and as i'm a noob i'll surely understand security norms of http as time goes

But for now this is just a college project that i'm working on and the real life implementation only requires  the admin to make all changes 

that's the reason i'm not concerned with my script security here 

But i do appreciate the knowledge

[requinix]

My first try was with glob but in my case glob wasn't able to locate the directory so i went ahead with this 

could you give me a link or example or glob similar to my case

appreciate the reply

If you want an example then the documentation is a great place to look.

[Jacques1]

But for now this is just a college project [...]

 

If I got a dollar every time somebody says this, I would be a rich man.

 

I don't know what kind of college is this, but my professors actually checked my work and would have immediately rejected a submission which doesn't even survive the most basic tests. This is not just wrong. It shows a fundamental misunderstand of programming basics.

[sagar_24]

If I got a dollar every time somebody says this, I would be a rich man.

 

I don't know what kind of college is this, but my professors actually checked my work and would have immediately rejected a submission which doesn't even survive the most basic tests. This is not just wrong. It shows a fundamental misunderstand of programming basics.

Haha You'll be rich anyways.

I know the college is too bad to care

But this project is like a notice board to keep students updated so only the admin will have the ip or access to do it 

and so not to misunderstand any basics i'm using glob instead of get now

[sagar_24]

If you want an example then the documentation is a great place to look.

Thanks for the help Bud!