Delete file uploads?

andre1990 · September 10, 2011, 3:38pm

Is this possible? I have a file upload site and i want to be able to give users the opportunity to delete uploaded files by clicking a link.

My code is below:

<?php
ob_start();

session_start();

$extensions = array("jpg", "png","jpeg", "gif", "zip", "rar", "swf", "tiff", "bmp", "txt", "fla", "7z", "tar", "gz", "iso", "dmg", "mp3", "wav", "m4a", "aac", "doc", "docx", "xls", "rtf", "ppt", "bsd", "exe", "psd", "c4d", "pdf", "dwg", "max", "ipa", "vtf", "iam", "ipt", "flv", "scr");
$maxsize = 104288000;
$server = "http://www.andre1990.com";

$name = $_FILES['file']['name'];
$temp = $_FILES['file']['tmp_name'];
$size = $_FILES['file']['size'];

$random = md5(uniqid(rand(), true));
$random = substr($random, 0, 20);

if (!$name || !$temp || !$size)
{
   header("Location: index.php?feedback=Please select a file.");
   exit();
}

foreach ($_FILES as $file)
{
 if ($file['tmp_name'] != null) 
 {
    $thisext1=explode(".", strtolower($file['name']));
    $thisext=$thisext1[count($thisext1)-1];
  if (!in_array($thisext, $extensions))
  {
       header(sprintf("Location: index.php?feedback=The file extension \\"%s\\" is not allowed.", $thisext));
       exit();
  }
 }
}

if ($size > $maxsize)
{
   header("Location: index.php?feedback=The file size is too large.");
   exit();
}

$destination = "Uploads/".$random;
mkdir($destination);
move_uploaded_file($temp, $destination."/".$name);

$final = $server."/".$destination."/".$name;

?>

<?php ob_start(); ?>

<!DOCTYPE html>
<html>
<head>
<title>File Uploaded!</title>
<link rel="stylesheet" href="style.css" type="text/css">
<link REL="SHORTCUT ICON" HREF="http://www.sitepoint.com/forums/images/favicon.ico">
</head>
<body>
    <div id="topbar">
        <div class="content">
            <div class="logo"><img src="http://www.sitepoint.com/forums/images/logo.png" height="90"/></div>
        </div>
    </div>
    <div id="navbar">
        <ul>
            <li><a href="http://www.andre1990.com" id="active">Uploaded! Back Home?</a></li>
            <li><a href="http://www.andre1990.com/tos.php">TOS</a></li>
            <li><a href="http://www.andre1990.com/faq.php">FAQ</a></li>
            <li><a href="http://www.andre1990.com/contact.php">Contact Us</a></li>
            <li><a href="http://www.andre1990.com/donate.php">Donate</a></li>
        </ul>
</span>
</center>
<div id="main"><center>
     <div id="side1"><br><BR><BR>
<br /><strong>Uploaded!</strong><br />       
        <span class="small">
        <br />
        Direct download/view:<br />
        <input type="text" size="28" onClick=select() value="<?php echo $final; ?>" READONLY><p />
        Forum Code download/view:<br /><br />
        <input type="text" size="38" onClick=select() value="<?php echo $final; ?>" READONLY><p />
Delete Link:<br><br>
<input type="text" size="38" onClick=select() value="<?php echo ??? ?>" READONLY><p />
        <a href="index.php">Upload another file?</a>
        </span>    
                <div class="clear"></div></center>
            </div></CENTER>
<br><center><span class="small">&copy; andre1990.</span></center>
<center><a href="http://www.facebook.com/pages/andre1990/186225441417890"><img src="http://www.sitepoint.com/forums/images/facebook.ico"></a></center>
        </div>
        </div>
        <div class="clear"></div>
    </div>
</body>
<html>

cranial_bore · September 10, 2011, 11:03pm

If I visit delete.php?file_name=…/index.php there’s a chance I could delete your index.php file with your script.

$_GET is under the users control.

If it didn’t work, the file may not exist, $_GET[‘file_name’] may not have what you expect, or the permissions might be wrong.
Did you echo “/var/www/vhosts/uploadvillage.com/httpdocs/Uploads/”.$_GET[‘file_name’] ?
Did you use [fphp]file_exists[/fphp]

andre1990 · September 10, 2011, 4:26pm

Hey,

Thanks i did think i would need it.

Could you help me out and show me how its used? I’ve tried to create a file called delete.php with the unlink in it, but it didn’t delete the file that had been uploaded to the server.

Below is what i used.

unlink("/var/www/vhosts/uploadvillage.com/httpdocs/Uploads/".$_GET['file_name']);

gauvion · September 10, 2011, 4:06pm

you’re looking for unlink

system · September 11, 2011, 6:48am

Cranial bore is right – I’d str_replace out “…” so nobody can make the file_name contain "…/…/…/…/…/…/ letting them delete any file PHP has the rights to delete on the server. Likewise I’d probably rip out path slashes too. sending anything from $_GET to a system command like unlink is usually a really bad idea.

Rather than file_exist, I’d consider pulling a list of valid values using glob and compare against it – since file_exist can pull up files anywhere on the drive if the URL is compromised – where if you glob up a list of valid choices from the one directory it’s allowed to target, you’ll be in much better shape.

Could also probably use path_info to clean it… since that could be used to strip the path clean off the request. Actually, taht would be a lot better than using str_replace.


$replaceName=pathinfo($_GET['file_name'],PATHINFO_FILENAME);
$replacePath='/var/www/vhosts/uploadvillage.com/httpdocs/Uploads/'.$replaceName;
if (file_exists($replacePath)) {
	unlink($replacePath);
} else {
	/*
		Do not echo out full path! Would reveal server path info 
		that could be used to exploit the server
	*/
	echo '
		Error! -- Requested file not found<br />
		',$replaceName';
}