Using $_GET

crawfd


I want to read files in a folder and create an action to delete them. I can read the files, however my script currently isn't deleting them. It's passing the correct url which includes the image name in the address. I'm trying to grab the image name using GET and use it for unlink.

    <?php 

extract($_REQUEST);

if ($handle = opendir('content/clients/'.$_SESSION['username'].'')) { 
while (false !== ($file = readdir($handle))) {  

if ($file != "." && $file != "..") {  

  echo "$file\n | <a href=$PHP_SELF?action=upload&file=remove&file=$file>Delete</a><br>";  

        }  

    } 
    closedir($handle);  

}

extract($_REQUEST);

if($file == "remove"){
$thefile = $_GET['file']; 
unlink("content/clients/".$_SESSION['username']."/$thefile");            

}

?>

Weedpacket

It may be a problem where the user the web server is running as doesn't have permission to delete files. Without knowing any more about the symptoms it's hard to say (is $PHP_SELF defined?).

Meanwhile you have an enormous showstopping security hole in that it is possible for anyone to attempt to delete any file they want on your system. They probably won't have permission, but the risk is serious: you make no attempt to check that the content of $_GET['file'] is a file that the user is supposed to be able to delete.

Incidentally, those two calls to extract seem to be superfluous.

crawfd

Weedpacket,

I manually entered in a direct unlink address to a file and it deleted. I do have permissions....

The code is contained within a session, ..if a user is not part of a session they cannot even access the example code I've supplied.

Weedpacket

Originally posted by crawfd
I manually entered in a direct unlink address to a file and it deleted. I do have permissions....

You might, but does the web server? Have you checked to see what file you're trying to delete?

echo "content/clients/".$_SESSION['username']."/$thefile";

Is that correct?

The code is contained within a session, ..if a user is not part of a session they cannot even access the example code I've supplied.

So as soon as they've got a session ID given to them then they're free to try and delete any file they like from your system.

Weedpacket

So $thefile doesn't have the value it's supposed to. Have you looked to see what value it does have?

Have you looked to see exactly what file you're asking to delete?

echo "content/clients/".$_SESSION['username']."/$thefile";