unlink() security question

Anon

Hey there people.
OK so I'm using unlink("file.data") to delete used up temporary files on my system.
Only problem is I need to delete files dynamically and I heard that this will cause me problems in terms of security.

e.g if I use:
unlink($variable".data")

(or whatever the correct form would be such that I include a variable in the URL call and it imputs it in the unlink command).

I hear that if I do this, people will be able to delete any file off my server. I would assume they could only delete files with the extansions ".data". Am I correct or could a malicious user delete any file they wished?
I can name the files anything I like, like "file.th67y", and all files with the ".th67y" extension are expendable, but I can't afford to lose the other files on the server.

Cheers

Jesse

Anon

I haven't tested this, but if you are using a variable that can be passed in a "GET" method (that is just included in the http:// header with a ?) then you are at great risk. If unlink just runs the unix/dos command to unlink the file, then a malicious user could send any filename followed by a ; and the unlink command would remove that file, and then choke on the .data or whatever you are adding to the end.