Geek Answers Handbook

How to avoid UNLINK security risks in PHP?

I am using UNLINK with PHP and AJAX . I know that this way is very dangerous, because everyone can delete any files. But I need to use AJAX because I cannot reload the page when deleting files.

So, how do I do to delete a file only for the user who owns it?

Please let me know other things if you think I'm doing something wrong here or something else that you mean and you think it will be useful :)

My PHP code is:

 <?php $photo_id = $_GET['photo_id']; $thumbnail_id = $_GET['thumbnail_id']; function deletePhotos($id){ return unlink($id); } if(isset($photo_id)){ deletePhotos($photo_id); } if(isset($thumbnail_id)){ deletePhotos($thumbnail_id); } ?>

My AJAX Code:

 function deletePhoto(photo, thumbnail){ var photos = encodeURIComponent(photo); var thumbnails = encodeURIComponent(thumbnail); if (window.XMLHttpRequest) {// code for IE7+, Firefox, Chrome, Opera, Safari xmlhttp=new XMLHttpRequest(); } else {// code for IE6, IE5 xmlhttp=new ActiveXObject("Microsoft.XMLHTTP"); } xmlhttp.onreadystatechange=function() { if (xmlhttp.readyState==4 && xmlhttp.status==200) { document.getElementById("media").innerHTML=xmlhttp.responseText; } } xmlhttp.open("GET", "http://192.168.2.104/images/users/delete_photo.php?photo_id="+photos+"&thumbnail_id="+thumbnails, true); xmlhttp.send(); }
+6
security ajax php delete-file unlink
source share
7 answers

You need to authenticate the user somehow.

Your user must be authenticated with a username and password.

A PHP session can be used to remember, and you should use a database table or text file on the server to store information about the owner of the file.

Then, before undoing anything, your logic should make sure that the current “authenticated” user is the owner of the file.

+7
source share

Limit selection to the catalog with photos. That is, do not allow .. on the way or check the full path after executing realpath (). Otherwise, the user may request delete_photo.php?photo_id=../../../../etc/passwd and break the system.

+2
source share

you can simplify your task by using a very simple database replacement - directory structure. Store user files in the user directory. therefore, you can always check whether a particular user has delete rights. Name the directory after the username, or - much better - the numeric identifier of the user

just something like

 $photo_id = basename($_GET['photo_id'];) $filename = $filebase.$_SESSION['user_id']."/".$photo_id; if (file_exists($filename) unlink ($filename);
+2
source share

In your PHP:

  • Make sure $ _GET ['photo_id'] and $ _GET ['thumbnail_id'] do not contain "../"
  • Also make sure you add the base path to the identifier.

Otherwise, users can delete any file.

As for ownership, you should store information that owns the file somewhere on the server side (for example, MySql-DB). Then you should consult this location before deleting the file.

+1
source share

As Vadim M. said. You need to authenticate your user. You can then use this to compare "Image Owner" with "User who is currently logged in." This will give you all the security you need.

As I said, name the variable so that they sound right. When I see "id" in varayable. I automatically assume as a programmer that this is a numeric variable.

0
source share

had the same problem and circumvented it using PHP ftp_delete function

0
source share

Another suggestion: do not store files on disk, but put them in a database. This allows you to very clearly distinguish your site + scripts and "user data".

(someone once told me that the files were files, and the databases were for data, and they are all different, but as I see the files still contain data. mysql has the ideal LONGBLOB type for inputting anything, and you can store metadata, such as file type and file name, in separate fields in the same data line, which makes things clean and simple)

-one
source share

More articles:


All Articles