SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Enthusiast
    Join Date
    Sep 2011
    Posts
    45
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Delete file uploads?

    Is this possible? I have a file upload site and i want to be able to give users the opportunity to delete uploaded files by clicking a link.

    My code is below:

    PHP Code:
    <?php
    ob_start
    ();

    session_start();

    $extensions = array("jpg""png","jpeg""gif""zip""rar""swf""tiff""bmp""txt""fla""7z""tar""gz""iso""dmg""mp3""wav""m4a""aac""doc""docx""xls""rtf""ppt""bsd""exe""psd""c4d""pdf""dwg""max""ipa""vtf""iam""ipt""flv""scr");
    $maxsize 104288000;
    $server "http://www.andre1990.com";

    $name $_FILES['file']['name'];
    $temp $_FILES['file']['tmp_name'];
    $size $_FILES['file']['size'];

    $random md5(uniqid(rand(), true));
    $random substr($random020);

    if (!
    $name || !$temp || !$size)
    {
       
    header("Location: index.php?feedback=Please select a file.");
       exit();
    }

    foreach (
    $_FILES as $file)
    {
     if (
    $file['tmp_name'] != null
     {
        
    $thisext1=explode("."strtolower($file['name']));
        
    $thisext=$thisext1[count($thisext1)-1];
      if (!
    in_array($thisext$extensions))
      {
           
    header(sprintf("Location: index.php?feedback=The file extension \"%s\" is not allowed."$thisext));
           exit();
      }
     }
    }

    if (
    $size $maxsize)
    {
       
    header("Location: index.php?feedback=The file size is too large.");
       exit();
    }

    $destination "Uploads/".$random;
    mkdir($destination);
    move_uploaded_file($temp$destination."/".$name);

    $final $server."/".$destination."/".$name;

    ?>

    <?php ob_start(); ?>

    <!DOCTYPE html>
    <html>
    <head>
    <title>File Uploaded!</title>
    <link rel="stylesheet" href="style.css" type="text/css">
    <link REL="SHORTCUT ICON" HREF="http://www.sitepoint.com/forums/images/favicon.ico">
    </head>
    <body>
        <div id="topbar">
            <div class="content">
                <div class="logo"><img src="http://www.sitepoint.com/forums/images/logo.png" height="90"/></div>
            </div>
        </div>
        <div id="navbar">
            <ul>
                <li><a href="http://www.andre1990.com" id="active">Uploaded! Back Home?</a></li>
                <li><a href="http://www.andre1990.com/tos.php">TOS</a></li>
                <li><a href="http://www.andre1990.com/faq.php">FAQ</a></li>
                <li><a href="http://www.andre1990.com/contact.php">Contact Us</a></li>
                <li><a href="http://www.andre1990.com/donate.php">Donate</a></li>
            </ul>
    </span>
    </center>
    <div id="main"><center>
         <div id="side1"><br><BR><BR>
    <br /><strong>Uploaded!</strong><br />       
            <span class="small">
            <br />
            Direct download/view:<br />
            <input type="text" size="28" onClick=select() value="<?php echo $final?>" READONLY><p />
            Forum Code download/view:<br /><br />
            <input type="text" size="38" onClick=select() value="<?php echo $final?>" READONLY><p />
    Delete Link:<br><br>
    <input type="text" size="38" onClick=select() value="<?php echo ??? ?>" READONLY><p />
            <a href="index.php">Upload another file?</a>
            </span>    
                    <div class="clear"></div></center>
                </div></CENTER>
    <br><center><span class="small">&copy; andre1990.</span></center>
    <center><a href="http://www.facebook.com/pages/andre1990/186225441417890"><img src="http://www.sitepoint.com/forums/images/facebook.ico"></a></center>
            </div>
            </div>
            <div class="clear"></div>
        </div>
    </body>
    <html>
    Last edited by SpacePhoenix; Sep 11, 2011 at 01:42. Reason: swapped code tags for php tags around php script

  2. #2
    SitePoint Member
    Join Date
    Sep 2011
    Posts
    15
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    you're looking for unlink

  3. #3
    SitePoint Enthusiast
    Join Date
    Sep 2011
    Posts
    45
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hey,

    Thanks i did think i would need it.

    Could you help me out and show me how its used? I've tried to create a file called delete.php with the unlink in it, but it didn't delete the file that had been uploaded to the server.

    Below is what i used.

    Code:
    unlink("/var/www/vhosts/uploadvillage.com/httpdocs/Uploads/".$_GET['file_name']);

  4. #4
    SitePoint Wizard cranial-bore's Avatar
    Join Date
    Jan 2002
    Location
    Australia
    Posts
    2,634
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If I visit delete.php?file_name=../index.php there's a chance I could delete your index.php file with your script.

    $_GET is under the users control.

    If it didn't work, the file may not exist, $_GET['file_name'] may not have what you expect, or the permissions might be wrong.
    Did you echo "/var/www/vhosts/uploadvillage.com/httpdocs/Uploads/".$_GET['file_name'] ?
    Did you use file_exists

  5. #5
    Non-Member bronze trophy
    Join Date
    Nov 2009
    Location
    Keene, NH
    Posts
    3,760
    Mentioned
    23 Post(s)
    Tagged
    0 Thread(s)
    Cranial bore is right -- I'd str_replace out ".." so nobody can make the file_name contain "../../../../../../ letting them delete any file PHP has the rights to delete on the server. Likewise I'd probably rip out path slashes too. sending anything from $_GET to a system command like unlink is usually a really bad idea.

    Rather than file_exist, I'd consider pulling a list of valid values using glob and compare against it -- since file_exist can pull up files anywhere on the drive if the URL is compromised -- where if you glob up a list of valid choices from the one directory it's allowed to target, you'll be in much better shape.

    Could also probably use path_info to clean it... since that could be used to strip the path clean off the request. Actually, taht would be a lot better than using str_replace.

    Code:
    $replaceName=pathinfo($_GET['file_name'],PATHINFO_FILENAME);
    $replacePath='/var/www/vhosts/uploadvillage.com/httpdocs/Uploads/'.$replaceName;
    if (file_exists($replacePath)) {
    	unlink($replacePath);
    } else {
    	/*
    		Do not echo out full path! Would reveal server path info 
    		that could be used to exploit the server
    	*/
    	echo '
    		Error! -- Requested file not found<br />
    		',$replaceName';
    }


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •